2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
32 #include "../librpc/gen_ndr/srv_lsa.h"
34 #include "../librpc/gen_ndr/netlogon.h"
35 #include "rpc_client/init_lsa.h"
38 #define DBGC_CLASS DBGC_RPC_SRV
40 #define MAX_LOOKUP_SIDS 0x5000 /* 20480 */
44 enum lsa_handle_type { LSA_HANDLE_POLICY_TYPE = 1, LSA_HANDLE_ACCOUNT_TYPE };
50 enum lsa_handle_type type;
51 struct security_descriptor *sd;
54 const struct generic_mapping lsa_account_mapping = {
58 LSA_ACCOUNT_ALL_ACCESS
61 const struct generic_mapping lsa_policy_mapping = {
68 const struct generic_mapping lsa_secret_mapping = {
75 const struct generic_mapping lsa_trusted_domain_mapping = {
76 LSA_TRUSTED_DOMAIN_READ,
77 LSA_TRUSTED_DOMAIN_WRITE,
78 LSA_TRUSTED_DOMAIN_EXECUTE,
79 LSA_TRUSTED_DOMAIN_ALL_ACCESS
82 /***************************************************************************
83 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
84 ***************************************************************************/
86 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
87 struct lsa_RefDomainList *ref,
89 struct dom_sid *dom_sid)
93 if (dom_name != NULL) {
94 for (num = 0; num < ref->count; num++) {
95 if (sid_equal(dom_sid, ref->domains[num].sid)) {
103 if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) {
104 /* index not found, already at maximum domain limit */
108 ref->count = num + 1;
109 ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER;
111 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
112 struct lsa_DomainInfo, ref->count);
117 ZERO_STRUCT(ref->domains[num]);
119 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
120 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
121 if (!ref->domains[num].sid) {
129 /***************************************************************************
130 initialize a lsa_DomainInfo structure.
131 ***************************************************************************/
133 static void init_dom_query_3(struct lsa_DomainInfo *r,
137 init_lsa_StringLarge(&r->name, name);
141 /***************************************************************************
142 initialize a lsa_DomainInfo structure.
143 ***************************************************************************/
145 static void init_dom_query_5(struct lsa_DomainInfo *r,
149 init_lsa_StringLarge(&r->name, name);
153 /***************************************************************************
154 lookup_lsa_rids. Must be called as root for lookup_name to work.
155 ***************************************************************************/
157 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
158 struct lsa_RefDomainList *ref,
159 struct lsa_TranslatedSid *prid,
160 uint32_t num_entries,
161 struct lsa_String *name,
163 uint32_t *pmapped_count)
165 uint32 mapped_count, i;
167 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
172 for (i = 0; i < num_entries; i++) {
176 const char *full_name;
178 enum lsa_SidType type = SID_NAME_UNKNOWN;
180 /* Split name into domain and user component */
182 /* follow w2k8 behavior and return the builtin domain when no
183 * input has been passed in */
185 if (name[i].string) {
186 full_name = name[i].string;
188 full_name = "BUILTIN";
191 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
193 /* We can ignore the result of lookup_name, it will not touch
194 "type" if it's not successful */
196 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
201 case SID_NAME_DOM_GRP:
202 case SID_NAME_DOMAIN:
204 case SID_NAME_WKN_GRP:
205 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
206 /* Leave these unchanged */
209 /* Don't hand out anything but the list above */
210 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
211 type = SID_NAME_UNKNOWN;
218 if (type != SID_NAME_UNKNOWN) {
219 if (type == SID_NAME_DOMAIN) {
222 sid_split_rid(&sid, &rid);
224 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
228 prid[i].sid_type = type;
230 prid[i].sid_index = dom_idx;
233 *pmapped_count = mapped_count;
237 /***************************************************************************
238 lookup_lsa_sids. Must be called as root for lookup_name to work.
239 ***************************************************************************/
241 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
242 struct lsa_RefDomainList *ref,
243 struct lsa_TranslatedSid3 *trans_sids,
244 uint32_t num_entries,
245 struct lsa_String *name,
247 uint32 *pmapped_count)
249 uint32 mapped_count, i;
251 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
256 for (i = 0; i < num_entries; i++) {
260 const char *full_name;
262 enum lsa_SidType type = SID_NAME_UNKNOWN;
266 /* Split name into domain and user component */
268 full_name = name[i].string;
269 if (full_name == NULL) {
270 return NT_STATUS_NO_MEMORY;
273 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
275 /* We can ignore the result of lookup_name, it will not touch
276 "type" if it's not successful */
278 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
283 case SID_NAME_DOM_GRP:
284 case SID_NAME_DOMAIN:
286 case SID_NAME_WKN_GRP:
287 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
288 /* Leave these unchanged */
291 /* Don't hand out anything but the list above */
292 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
293 type = SID_NAME_UNKNOWN;
300 if (type != SID_NAME_UNKNOWN) {
301 struct dom_sid domain_sid;
302 sid_copy(&domain_sid, &sid);
303 sid_split_rid(&domain_sid, &rid);
304 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
308 /* Initialize the lsa_TranslatedSid3 return. */
309 trans_sids[i].sid_type = type;
310 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
311 trans_sids[i].sid_index = dom_idx;
314 *pmapped_count = mapped_count;
318 static NTSTATUS make_lsa_object_sd(TALLOC_CTX *mem_ctx, struct security_descriptor **sd, size_t *sd_size,
319 const struct generic_mapping *map,
320 struct dom_sid *sid, uint32_t sid_access)
322 struct dom_sid adm_sid;
323 struct security_ace ace[5];
326 struct security_acl *psa = NULL;
328 /* READ|EXECUTE access for Everyone */
330 init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
331 map->generic_execute | map->generic_read, 0);
333 /* Add Full Access 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
335 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
336 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
337 init_sec_ace(&ace[i++], &global_sid_Builtin_Account_Operators,
338 SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
340 /* Add Full Access for Domain Admins */
341 sid_compose(&adm_sid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
342 init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
343 map->generic_all, 0);
345 /* If we have a sid, give it some special access */
348 init_sec_ace(&ace[i++], sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
352 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) == NULL)
353 return NT_STATUS_NO_MEMORY;
355 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
356 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
357 psa, sd_size)) == NULL)
358 return NT_STATUS_NO_MEMORY;
364 /***************************************************************************
366 ***************************************************************************/
368 NTSTATUS _lsa_OpenPolicy2(struct pipes_struct *p,
369 struct lsa_OpenPolicy2 *r)
371 struct lsa_info *info;
372 struct security_descriptor *psd = NULL;
374 uint32 des_access = r->in.access_mask;
378 /* Work out max allowed. */
379 map_max_allowed_access(p->server_info->ptok,
380 &p->server_info->utok,
383 /* map the generic bits to the lsa policy ones */
384 se_map_generic(&des_access, &lsa_policy_mapping);
386 /* get the generic lsa policy SD until we store it */
387 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
389 if (!NT_STATUS_IS_OK(status)) {
393 status = access_check_object(psd, p->server_info->ptok,
395 &acc_granted, "_lsa_OpenPolicy2" );
396 if (!NT_STATUS_IS_OK(status)) {
400 /* associate the domain SID with the (unique) handle. */
401 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
403 return NT_STATUS_NO_MEMORY;
406 sid_copy(&info->sid,get_global_sam_sid());
407 info->access = acc_granted;
408 info->type = LSA_HANDLE_POLICY_TYPE;
410 /* set up the LSA QUERY INFO response */
411 if (!create_policy_hnd(p, r->out.handle, info))
412 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
417 /***************************************************************************
419 ***************************************************************************/
421 NTSTATUS _lsa_OpenPolicy(struct pipes_struct *p,
422 struct lsa_OpenPolicy *r)
424 struct lsa_OpenPolicy2 o;
426 o.in.system_name = NULL; /* should be ignored */
427 o.in.attr = r->in.attr;
428 o.in.access_mask = r->in.access_mask;
430 o.out.handle = r->out.handle;
432 return _lsa_OpenPolicy2(p, &o);
435 /***************************************************************************
436 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
438 ***************************************************************************/
440 NTSTATUS _lsa_EnumTrustDom(struct pipes_struct *p,
441 struct lsa_EnumTrustDom *r)
443 struct lsa_info *info;
445 struct trustdom_info **domains;
446 struct lsa_DomainInfo *entries;
450 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
451 return NT_STATUS_INVALID_HANDLE;
453 if (info->type != LSA_HANDLE_POLICY_TYPE) {
454 return NT_STATUS_INVALID_HANDLE;
457 /* check if the user has enough rights */
458 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
459 return NT_STATUS_ACCESS_DENIED;
462 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &count, &domains);
465 if (!NT_STATUS_IS_OK(nt_status)) {
469 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo, count);
471 return NT_STATUS_NO_MEMORY;
474 for (i=0; i<count; i++) {
475 init_lsa_StringLarge(&entries[i].name, domains[i]->name);
476 entries[i].sid = &domains[i]->sid;
479 if (*r->in.resume_handle >= count) {
480 *r->out.resume_handle = -1;
481 TALLOC_FREE(entries);
482 return NT_STATUS_NO_MORE_ENTRIES;
485 /* return the rest, limit by max_size. Note that we
486 use the w2k3 element size value of 60 */
487 r->out.domains->count = count - *r->in.resume_handle;
488 r->out.domains->count = MIN(r->out.domains->count,
489 1+(r->in.max_size/LSA_ENUM_TRUST_DOMAIN_MULTIPLIER));
491 r->out.domains->domains = entries + *r->in.resume_handle;
493 if (r->out.domains->count < count - *r->in.resume_handle) {
494 *r->out.resume_handle = *r->in.resume_handle + r->out.domains->count;
495 return STATUS_MORE_ENTRIES;
498 /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
499 * always be larger than the previous input resume handle, in
500 * particular when hitting the last query it is vital to set the
501 * resume handle correctly to avoid infinite client loops, as
502 * seen e.g. with Windows XP SP3 when resume handle is 0 and
503 * status is NT_STATUS_OK - gd */
505 *r->out.resume_handle = (uint32_t)-1;
510 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
511 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
512 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
514 /***************************************************************************
516 ***************************************************************************/
518 NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
519 struct lsa_QueryInfoPolicy *r)
521 NTSTATUS status = NT_STATUS_OK;
522 struct lsa_info *handle;
523 struct dom_sid domain_sid;
525 struct dom_sid *sid = NULL;
526 union lsa_PolicyInformation *info = NULL;
527 uint32_t acc_required = 0;
529 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
530 return NT_STATUS_INVALID_HANDLE;
532 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
533 return NT_STATUS_INVALID_HANDLE;
536 switch (r->in.level) {
537 case LSA_POLICY_INFO_AUDIT_LOG:
538 case LSA_POLICY_INFO_AUDIT_EVENTS:
539 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
541 case LSA_POLICY_INFO_DOMAIN:
542 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
544 case LSA_POLICY_INFO_PD:
545 acc_required = LSA_POLICY_GET_PRIVATE_INFORMATION;
547 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
548 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
550 case LSA_POLICY_INFO_ROLE:
551 case LSA_POLICY_INFO_REPLICA:
552 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
554 case LSA_POLICY_INFO_QUOTA:
555 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
557 case LSA_POLICY_INFO_MOD:
558 case LSA_POLICY_INFO_AUDIT_FULL_SET:
559 /* according to MS-LSAD 3.1.4.4.3 */
560 return NT_STATUS_INVALID_PARAMETER;
561 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
562 acc_required = LSA_POLICY_VIEW_AUDIT_INFORMATION;
564 case LSA_POLICY_INFO_DNS:
565 case LSA_POLICY_INFO_DNS_INT:
566 case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
567 acc_required = LSA_POLICY_VIEW_LOCAL_INFORMATION;
573 if (!(handle->access & acc_required)) {
574 /* return NT_STATUS_ACCESS_DENIED; */
577 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
579 return NT_STATUS_NO_MEMORY;
582 switch (r->in.level) {
583 /* according to MS-LSAD 3.1.4.4.3 */
584 case LSA_POLICY_INFO_MOD:
585 case LSA_POLICY_INFO_AUDIT_FULL_SET:
586 case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
587 return NT_STATUS_INVALID_PARAMETER;
588 case LSA_POLICY_INFO_AUDIT_LOG:
589 info->audit_log.percent_full = 0;
590 info->audit_log.maximum_log_size = 0;
591 info->audit_log.retention_time = 0;
592 info->audit_log.shutdown_in_progress = 0;
593 info->audit_log.time_to_shutdown = 0;
594 info->audit_log.next_audit_record = 0;
595 status = NT_STATUS_OK;
597 case LSA_POLICY_INFO_PD:
598 info->pd.name.string = NULL;
599 status = NT_STATUS_OK;
601 case LSA_POLICY_INFO_REPLICA:
602 info->replica.source.string = NULL;
603 info->replica.account.string = NULL;
604 status = NT_STATUS_OK;
606 case LSA_POLICY_INFO_QUOTA:
607 info->quota.paged_pool = 0;
608 info->quota.non_paged_pool = 0;
609 info->quota.min_wss = 0;
610 info->quota.max_wss = 0;
611 info->quota.pagefile = 0;
612 info->quota.unknown = 0;
613 status = NT_STATUS_OK;
615 case LSA_POLICY_INFO_AUDIT_EVENTS:
618 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
620 /* check if the user has enough rights */
621 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
622 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
623 return NT_STATUS_ACCESS_DENIED;
626 /* fake info: We audit everything. ;) */
628 info->audit_events.auditing_mode = true;
629 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
630 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
631 enum lsa_PolicyAuditPolicy,
632 info->audit_events.count);
633 if (!info->audit_events.settings) {
634 return NT_STATUS_NO_MEMORY;
637 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
638 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
639 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
640 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
641 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
642 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
643 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
647 case LSA_POLICY_INFO_DOMAIN:
648 /* check if the user has enough rights */
649 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
650 return NT_STATUS_ACCESS_DENIED;
652 /* Request PolicyPrimaryDomainInformation. */
653 switch (lp_server_role()) {
654 case ROLE_DOMAIN_PDC:
655 case ROLE_DOMAIN_BDC:
656 name = get_global_sam_name();
657 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
659 return NT_STATUS_NO_MEMORY;
662 case ROLE_DOMAIN_MEMBER:
663 name = lp_workgroup();
664 /* We need to return the Domain SID here. */
665 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
666 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
668 return NT_STATUS_NO_MEMORY;
671 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
674 case ROLE_STANDALONE:
675 name = lp_workgroup();
679 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
681 init_dom_query_3(&info->domain, name, sid);
683 case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
684 /* check if the user has enough rights */
685 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
686 return NT_STATUS_ACCESS_DENIED;
688 /* Request PolicyAccountDomainInformation. */
689 name = get_global_sam_name();
690 sid = get_global_sam_sid();
692 init_dom_query_5(&info->account_domain, name, sid);
694 case LSA_POLICY_INFO_ROLE:
695 /* check if the user has enough rights */
696 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
697 return NT_STATUS_ACCESS_DENIED;
699 switch (lp_server_role()) {
700 case ROLE_DOMAIN_BDC:
702 * only a BDC is a backup controller
703 * of the domain, it controls.
705 info->role.role = LSA_ROLE_BACKUP;
709 * any other role is a primary
710 * of the domain, it controls.
712 info->role.role = LSA_ROLE_PRIMARY;
716 case LSA_POLICY_INFO_DNS:
717 case LSA_POLICY_INFO_DNS_INT: {
718 struct pdb_domain_info *dominfo;
720 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
721 DEBUG(10, ("Not replying to LSA_POLICY_INFO_DNS "
722 "without ADS passdb backend\n"));
723 status = NT_STATUS_INVALID_INFO_CLASS;
727 dominfo = pdb_get_domain_info(info);
728 if (dominfo == NULL) {
729 status = NT_STATUS_NO_MEMORY;
733 init_lsa_StringLarge(&info->dns.name,
735 init_lsa_StringLarge(&info->dns.dns_domain,
736 dominfo->dns_domain);
737 init_lsa_StringLarge(&info->dns.dns_forest,
738 dominfo->dns_forest);
739 info->dns.domain_guid = dominfo->guid;
740 info->dns.sid = &dominfo->sid;
744 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
746 status = NT_STATUS_INVALID_INFO_CLASS;
755 /***************************************************************************
756 _lsa_QueryInfoPolicy2
757 ***************************************************************************/
759 NTSTATUS _lsa_QueryInfoPolicy2(struct pipes_struct *p,
760 struct lsa_QueryInfoPolicy2 *r2)
762 struct lsa_QueryInfoPolicy r;
764 if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
765 p->rng_fault_state = True;
766 return NT_STATUS_NOT_IMPLEMENTED;
770 r.in.handle = r2->in.handle;
771 r.in.level = r2->in.level;
772 r.out.info = r2->out.info;
774 return _lsa_QueryInfoPolicy(p, &r);
777 /***************************************************************************
778 _lsa_lookup_sids_internal
779 ***************************************************************************/
781 static NTSTATUS _lsa_lookup_sids_internal(struct pipes_struct *p,
783 uint16_t level, /* input */
784 int num_sids, /* input */
785 struct lsa_SidPtr *sid, /* input */
786 struct lsa_RefDomainList **pp_ref, /* input/output */
787 struct lsa_TranslatedName2 **pp_names,/* input/output */
788 uint32_t *pp_mapped_count) /* input/output */
792 const struct dom_sid **sids = NULL;
793 struct lsa_RefDomainList *ref = NULL;
794 uint32 mapped_count = 0;
795 struct lsa_dom_info *dom_infos = NULL;
796 struct lsa_name_info *name_infos = NULL;
797 struct lsa_TranslatedName2 *names = NULL;
799 *pp_mapped_count = 0;
807 sids = TALLOC_ARRAY(p->mem_ctx, const struct dom_sid *, num_sids);
808 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
810 if (sids == NULL || ref == NULL) {
811 return NT_STATUS_NO_MEMORY;
814 for (i=0; i<num_sids; i++) {
815 sids[i] = sid[i].sid;
818 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
819 &dom_infos, &name_infos);
821 if (!NT_STATUS_IS_OK(status)) {
825 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
827 return NT_STATUS_NO_MEMORY;
830 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
832 if (!dom_infos[i].valid) {
836 if (init_lsa_ref_domain_list(mem_ctx, ref,
838 &dom_infos[i].sid) != i) {
839 DEBUG(0, ("Domain %s mentioned twice??\n",
841 return NT_STATUS_INTERNAL_ERROR;
845 for (i=0; i<num_sids; i++) {
846 struct lsa_name_info *name = &name_infos[i];
848 if (name->type == SID_NAME_UNKNOWN) {
851 /* Unknown sids should return the string
852 * representation of the SID. Windows 2003 behaves
853 * rather erratic here, in many cases it returns the
854 * RID as 8 bytes hex, in others it returns the full
855 * SID. We (Jerry/VL) could not figure out which the
856 * hard cases are, so leave it with the SID. */
857 name->name = talloc_asprintf(p->mem_ctx, "%s",
860 if (name->name == NULL) {
861 return NT_STATUS_NO_MEMORY;
867 names[i].sid_type = name->type;
868 names[i].name.string = name->name;
869 names[i].sid_index = name->dom_idx;
870 names[i].unknown = 0;
873 status = NT_STATUS_NONE_MAPPED;
874 if (mapped_count > 0) {
875 status = (mapped_count < num_sids) ?
876 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
879 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
880 num_sids, mapped_count, nt_errstr(status)));
882 *pp_mapped_count = mapped_count;
889 /***************************************************************************
891 ***************************************************************************/
893 NTSTATUS _lsa_LookupSids(struct pipes_struct *p,
894 struct lsa_LookupSids *r)
897 struct lsa_info *handle;
898 int num_sids = r->in.sids->num_sids;
899 uint32 mapped_count = 0;
900 struct lsa_RefDomainList *domains = NULL;
901 struct lsa_TranslatedName *names_out = NULL;
902 struct lsa_TranslatedName2 *names = NULL;
905 if ((r->in.level < 1) || (r->in.level > 6)) {
906 return NT_STATUS_INVALID_PARAMETER;
909 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
910 return NT_STATUS_INVALID_HANDLE;
913 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
914 return NT_STATUS_INVALID_HANDLE;
917 /* check if the user has enough rights */
918 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
919 return NT_STATUS_ACCESS_DENIED;
922 if (num_sids > MAX_LOOKUP_SIDS) {
923 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
924 MAX_LOOKUP_SIDS, num_sids));
925 return NT_STATUS_NONE_MAPPED;
928 status = _lsa_lookup_sids_internal(p,
937 /* Only return here when there is a real error.
938 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
939 the requested sids could be resolved. Older versions of XP (pre SP3)
940 rely that we return with the string representations of those SIDs in
941 that case. If we don't, XP crashes - Guenther
944 if (NT_STATUS_IS_ERR(status) &&
945 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
949 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
950 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
953 return NT_STATUS_NO_MEMORY;
956 for (i=0; i<num_sids; i++) {
957 names_out[i].sid_type = names[i].sid_type;
958 names_out[i].name = names[i].name;
959 names_out[i].sid_index = names[i].sid_index;
962 *r->out.domains = domains;
963 r->out.names->count = num_sids;
964 r->out.names->names = names_out;
965 *r->out.count = mapped_count;
970 /***************************************************************************
972 ***************************************************************************/
974 NTSTATUS _lsa_LookupSids2(struct pipes_struct *p,
975 struct lsa_LookupSids2 *r)
978 struct lsa_info *handle;
979 int num_sids = r->in.sids->num_sids;
980 uint32 mapped_count = 0;
981 struct lsa_RefDomainList *domains = NULL;
982 struct lsa_TranslatedName2 *names = NULL;
983 bool check_policy = true;
986 case NDR_LSA_LOOKUPSIDS3:
987 check_policy = false;
989 case NDR_LSA_LOOKUPSIDS2:
994 if ((r->in.level < 1) || (r->in.level > 6)) {
995 return NT_STATUS_INVALID_PARAMETER;
999 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1000 return NT_STATUS_INVALID_HANDLE;
1003 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1004 return NT_STATUS_INVALID_HANDLE;
1007 /* check if the user has enough rights */
1008 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1009 return NT_STATUS_ACCESS_DENIED;
1013 if (num_sids > MAX_LOOKUP_SIDS) {
1014 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
1015 MAX_LOOKUP_SIDS, num_sids));
1016 return NT_STATUS_NONE_MAPPED;
1019 status = _lsa_lookup_sids_internal(p,
1028 *r->out.domains = domains;
1029 r->out.names->count = num_sids;
1030 r->out.names->names = names;
1031 *r->out.count = mapped_count;
1036 /***************************************************************************
1038 ***************************************************************************/
1040 NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
1041 struct lsa_LookupSids3 *r)
1043 struct lsa_LookupSids2 q;
1045 /* No policy handle on this call. Restrict to crypto connections. */
1046 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1047 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
1048 get_remote_machine_name() ));
1049 return NT_STATUS_INVALID_PARAMETER;
1053 q.in.sids = r->in.sids;
1054 q.in.level = r->in.level;
1055 q.in.lookup_options = r->in.lookup_options;
1056 q.in.client_revision = r->in.client_revision;
1057 q.in.names = r->in.names;
1058 q.in.count = r->in.count;
1060 q.out.domains = r->out.domains;
1061 q.out.names = r->out.names;
1062 q.out.count = r->out.count;
1064 return _lsa_LookupSids2(p, &q);
1067 /***************************************************************************
1068 ***************************************************************************/
1070 static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
1075 case LSA_LOOKUP_NAMES_ALL: /* 1 */
1076 flags = LOOKUP_NAME_ALL;
1078 case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
1079 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
1081 case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
1082 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
1084 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
1085 case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
1086 case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
1087 case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
1089 flags = LOOKUP_NAME_NONE;
1096 /***************************************************************************
1098 ***************************************************************************/
1100 NTSTATUS _lsa_LookupNames(struct pipes_struct *p,
1101 struct lsa_LookupNames *r)
1103 NTSTATUS status = NT_STATUS_NONE_MAPPED;
1104 struct lsa_info *handle;
1105 struct lsa_String *names = r->in.names;
1106 uint32 num_entries = r->in.num_names;
1107 struct lsa_RefDomainList *domains = NULL;
1108 struct lsa_TranslatedSid *rids = NULL;
1109 uint32 mapped_count = 0;
1112 if (num_entries > MAX_LOOKUP_SIDS) {
1113 num_entries = MAX_LOOKUP_SIDS;
1114 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1118 flags = lsa_lookup_level_to_flags(r->in.level);
1120 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1122 return NT_STATUS_NO_MEMORY;
1126 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1129 return NT_STATUS_NO_MEMORY;
1135 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1136 status = NT_STATUS_INVALID_HANDLE;
1140 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1141 return NT_STATUS_INVALID_HANDLE;
1144 /* check if the user has enough rights */
1145 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1146 status = NT_STATUS_ACCESS_DENIED;
1150 /* set up the LSA Lookup RIDs response */
1151 become_root(); /* lookup_name can require root privs */
1152 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1153 names, flags, &mapped_count);
1158 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1159 if (mapped_count == 0) {
1160 status = NT_STATUS_NONE_MAPPED;
1161 } else if (mapped_count != num_entries) {
1162 status = STATUS_SOME_UNMAPPED;
1166 *r->out.count = mapped_count;
1167 *r->out.domains = domains;
1168 r->out.sids->sids = rids;
1169 r->out.sids->count = num_entries;
1174 /***************************************************************************
1176 ***************************************************************************/
1178 NTSTATUS _lsa_LookupNames2(struct pipes_struct *p,
1179 struct lsa_LookupNames2 *r)
1182 struct lsa_LookupNames q;
1183 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1184 struct lsa_TransSidArray *sid_array = NULL;
1187 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1189 return NT_STATUS_NO_MEMORY;
1192 q.in.handle = r->in.handle;
1193 q.in.num_names = r->in.num_names;
1194 q.in.names = r->in.names;
1195 q.in.level = r->in.level;
1196 q.in.sids = sid_array;
1197 q.in.count = r->in.count;
1198 /* we do not know what this is for */
1199 /* = r->in.unknown1; */
1200 /* = r->in.unknown2; */
1202 q.out.domains = r->out.domains;
1203 q.out.sids = sid_array;
1204 q.out.count = r->out.count;
1206 status = _lsa_LookupNames(p, &q);
1208 sid_array2->count = sid_array->count;
1209 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1210 if (!sid_array2->sids) {
1211 return NT_STATUS_NO_MEMORY;
1214 for (i=0; i<sid_array->count; i++) {
1215 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1216 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1217 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1218 sid_array2->sids[i].unknown = 0;
1221 r->out.sids = sid_array2;
1226 /***************************************************************************
1228 ***************************************************************************/
1230 NTSTATUS _lsa_LookupNames3(struct pipes_struct *p,
1231 struct lsa_LookupNames3 *r)
1234 struct lsa_info *handle;
1235 struct lsa_String *names = r->in.names;
1236 uint32 num_entries = r->in.num_names;
1237 struct lsa_RefDomainList *domains = NULL;
1238 struct lsa_TranslatedSid3 *trans_sids = NULL;
1239 uint32 mapped_count = 0;
1241 bool check_policy = true;
1244 case NDR_LSA_LOOKUPNAMES4:
1245 check_policy = false;
1247 case NDR_LSA_LOOKUPNAMES3:
1249 check_policy = true;
1252 if (num_entries > MAX_LOOKUP_SIDS) {
1253 num_entries = MAX_LOOKUP_SIDS;
1254 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1257 /* Probably the lookup_level is some sort of bitmask. */
1258 if (r->in.level == 1) {
1259 flags = LOOKUP_NAME_ALL;
1262 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1264 return NT_STATUS_NO_MEMORY;
1268 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1271 return NT_STATUS_NO_MEMORY;
1279 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1280 status = NT_STATUS_INVALID_HANDLE;
1284 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1285 return NT_STATUS_INVALID_HANDLE;
1288 /* check if the user has enough rights */
1289 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1290 status = NT_STATUS_ACCESS_DENIED;
1295 /* set up the LSA Lookup SIDs response */
1296 become_root(); /* lookup_name can require root privs */
1297 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1298 names, flags, &mapped_count);
1303 if (NT_STATUS_IS_OK(status)) {
1304 if (mapped_count == 0) {
1305 status = NT_STATUS_NONE_MAPPED;
1306 } else if (mapped_count != num_entries) {
1307 status = STATUS_SOME_UNMAPPED;
1311 *r->out.count = mapped_count;
1312 *r->out.domains = domains;
1313 r->out.sids->sids = trans_sids;
1314 r->out.sids->count = num_entries;
1319 /***************************************************************************
1321 ***************************************************************************/
1323 NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
1324 struct lsa_LookupNames4 *r)
1326 struct lsa_LookupNames3 q;
1328 /* No policy handle on this call. Restrict to crypto connections. */
1329 if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1330 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1331 get_remote_machine_name() ));
1332 return NT_STATUS_INVALID_PARAMETER;
1336 q.in.num_names = r->in.num_names;
1337 q.in.names = r->in.names;
1338 q.in.level = r->in.level;
1339 q.in.lookup_options = r->in.lookup_options;
1340 q.in.client_revision = r->in.client_revision;
1341 q.in.sids = r->in.sids;
1342 q.in.count = r->in.count;
1344 q.out.domains = r->out.domains;
1345 q.out.sids = r->out.sids;
1346 q.out.count = r->out.count;
1348 return _lsa_LookupNames3(p, &q);
1351 /***************************************************************************
1352 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1353 ***************************************************************************/
1355 NTSTATUS _lsa_Close(struct pipes_struct *p, struct lsa_Close *r)
1357 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1358 return NT_STATUS_INVALID_HANDLE;
1361 close_policy_hnd(p, r->in.handle);
1362 ZERO_STRUCTP(r->out.handle);
1363 return NT_STATUS_OK;
1366 /***************************************************************************
1367 ***************************************************************************/
1369 NTSTATUS _lsa_OpenSecret(struct pipes_struct *p, struct lsa_OpenSecret *r)
1371 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1374 /***************************************************************************
1375 ***************************************************************************/
1377 NTSTATUS _lsa_OpenTrustedDomain(struct pipes_struct *p,
1378 struct lsa_OpenTrustedDomain *r)
1380 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1383 /***************************************************************************
1384 ***************************************************************************/
1386 NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p,
1387 struct lsa_CreateTrustedDomain *r)
1389 return NT_STATUS_ACCESS_DENIED;
1392 /***************************************************************************
1393 ***************************************************************************/
1395 NTSTATUS _lsa_CreateSecret(struct pipes_struct *p, struct lsa_CreateSecret *r)
1397 return NT_STATUS_ACCESS_DENIED;
1400 /***************************************************************************
1401 ***************************************************************************/
1403 NTSTATUS _lsa_SetSecret(struct pipes_struct *p, struct lsa_SetSecret *r)
1405 return NT_STATUS_ACCESS_DENIED;
1408 /***************************************************************************
1410 ***************************************************************************/
1412 NTSTATUS _lsa_DeleteObject(struct pipes_struct *p,
1413 struct lsa_DeleteObject *r)
1416 struct lsa_info *info = NULL;
1418 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
1419 return NT_STATUS_INVALID_HANDLE;
1422 if (!(info->access & SEC_STD_DELETE)) {
1423 return NT_STATUS_ACCESS_DENIED;
1426 switch (info->type) {
1427 case LSA_HANDLE_ACCOUNT_TYPE:
1428 status = privilege_delete_account(&info->sid);
1429 if (!NT_STATUS_IS_OK(status)) {
1430 DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
1431 nt_errstr(status)));
1436 return NT_STATUS_INVALID_HANDLE;
1439 close_policy_hnd(p, r->in.handle);
1440 ZERO_STRUCTP(r->out.handle);
1445 /***************************************************************************
1447 ***************************************************************************/
1449 NTSTATUS _lsa_EnumPrivs(struct pipes_struct *p,
1450 struct lsa_EnumPrivs *r)
1452 struct lsa_info *handle;
1454 uint32 enum_context = *r->in.resume_handle;
1455 int num_privs = num_privileges_in_short_list();
1456 struct lsa_PrivEntry *entries = NULL;
1457 struct lsa_LUIDAttribute luid;
1459 /* remember that the enum_context starts at 0 and not 1 */
1461 if ( enum_context >= num_privs )
1462 return NT_STATUS_NO_MORE_ENTRIES;
1464 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1465 enum_context, num_privs));
1467 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1468 return NT_STATUS_INVALID_HANDLE;
1470 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1471 return NT_STATUS_INVALID_HANDLE;
1474 /* check if the user has enough rights
1475 I don't know if it's the right one. not documented. */
1477 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1478 return NT_STATUS_ACCESS_DENIED;
1481 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1483 return NT_STATUS_NO_MEMORY;
1489 for (i = 0; i < num_privs; i++) {
1490 if( i < enum_context) {
1492 init_lsa_StringLarge(&entries[i].name, NULL);
1494 entries[i].luid.low = 0;
1495 entries[i].luid.high = 0;
1498 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1500 entries[i].luid.low = get_privilege_luid( &privs[i].privilege_mask );
1501 entries[i].luid.high = 0;
1505 enum_context = num_privs;
1507 *r->out.resume_handle = enum_context;
1508 r->out.privs->count = num_privs;
1509 r->out.privs->privs = entries;
1511 return NT_STATUS_OK;
1514 /***************************************************************************
1515 _lsa_LookupPrivDisplayName
1516 ***************************************************************************/
1518 NTSTATUS _lsa_LookupPrivDisplayName(struct pipes_struct *p,
1519 struct lsa_LookupPrivDisplayName *r)
1521 struct lsa_info *handle;
1522 const char *description;
1523 struct lsa_StringLarge *lsa_name;
1525 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1526 return NT_STATUS_INVALID_HANDLE;
1528 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1529 return NT_STATUS_INVALID_HANDLE;
1532 /* check if the user has enough rights */
1535 * I don't know if it's the right one. not documented.
1537 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1538 return NT_STATUS_ACCESS_DENIED;
1540 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1542 description = get_privilege_dispname(r->in.name->string);
1544 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1545 return NT_STATUS_NO_SUCH_PRIVILEGE;
1548 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1550 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1552 return NT_STATUS_NO_MEMORY;
1555 init_lsa_StringLarge(lsa_name, description);
1557 *r->out.returned_language_id = r->in.language_id;
1558 *r->out.disp_name = lsa_name;
1560 return NT_STATUS_OK;
1563 /***************************************************************************
1565 ***************************************************************************/
1567 NTSTATUS _lsa_EnumAccounts(struct pipes_struct *p,
1568 struct lsa_EnumAccounts *r)
1570 struct lsa_info *handle;
1571 struct dom_sid *sid_list;
1572 int i, j, num_entries;
1574 struct lsa_SidPtr *sids = NULL;
1576 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1577 return NT_STATUS_INVALID_HANDLE;
1579 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1580 return NT_STATUS_INVALID_HANDLE;
1583 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1584 return NT_STATUS_ACCESS_DENIED;
1589 /* The only way we can currently find out all the SIDs that have been
1590 privileged is to scan all privileges */
1592 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1593 if (!NT_STATUS_IS_OK(status)) {
1597 if (*r->in.resume_handle >= num_entries) {
1598 return NT_STATUS_NO_MORE_ENTRIES;
1601 if (num_entries - *r->in.resume_handle) {
1602 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1603 num_entries - *r->in.resume_handle);
1605 talloc_free(sid_list);
1606 return NT_STATUS_NO_MEMORY;
1609 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1610 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1612 talloc_free(sid_list);
1613 return NT_STATUS_NO_MEMORY;
1618 talloc_free(sid_list);
1620 *r->out.resume_handle = num_entries;
1621 r->out.sids->num_sids = num_entries;
1622 r->out.sids->sids = sids;
1624 return NT_STATUS_OK;
1627 /***************************************************************************
1629 ***************************************************************************/
1631 NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
1632 struct lsa_GetUserName *r)
1634 const char *username, *domname;
1635 struct lsa_String *account_name = NULL;
1636 struct lsa_String *authority_name = NULL;
1638 if (r->in.account_name &&
1639 *r->in.account_name) {
1640 return NT_STATUS_INVALID_PARAMETER;
1643 if (r->in.authority_name &&
1644 *r->in.authority_name) {
1645 return NT_STATUS_INVALID_PARAMETER;
1648 if (p->server_info->guest) {
1650 * I'm 99% sure this is not the right place to do this,
1651 * global_sid_Anonymous should probably be put into the token
1652 * instead of the guest id -- vl
1654 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1655 &domname, &username, NULL)) {
1656 return NT_STATUS_NO_MEMORY;
1659 username = p->server_info->sanitized_username;
1660 domname = p->server_info->info3->base.domain.string;
1663 account_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1664 if (!account_name) {
1665 return NT_STATUS_NO_MEMORY;
1667 init_lsa_String(account_name, username);
1669 if (r->out.authority_name) {
1670 authority_name = TALLOC_P(p->mem_ctx, struct lsa_String);
1671 if (!authority_name) {
1672 return NT_STATUS_NO_MEMORY;
1674 init_lsa_String(authority_name, domname);
1677 *r->out.account_name = account_name;
1678 if (r->out.authority_name) {
1679 *r->out.authority_name = authority_name;
1682 return NT_STATUS_OK;
1685 /***************************************************************************
1687 ***************************************************************************/
1689 NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
1690 struct lsa_CreateAccount *r)
1693 struct lsa_info *handle;
1694 struct lsa_info *info;
1695 uint32_t acc_granted;
1696 struct security_descriptor *psd;
1699 /* find the connection policy handle. */
1700 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1701 return NT_STATUS_INVALID_HANDLE;
1703 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1704 return NT_STATUS_INVALID_HANDLE;
1707 /* check if the user has enough rights */
1709 if (!(handle->access & LSA_POLICY_CREATE_ACCOUNT)) {
1710 return NT_STATUS_ACCESS_DENIED;
1713 /* Work out max allowed. */
1714 map_max_allowed_access(p->server_info->ptok,
1715 &p->server_info->utok,
1716 &r->in.access_mask);
1718 /* map the generic bits to the lsa policy ones */
1719 se_map_generic(&r->in.access_mask, &lsa_account_mapping);
1721 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1722 &lsa_account_mapping,
1723 r->in.sid, LSA_POLICY_ALL_ACCESS);
1724 if (!NT_STATUS_IS_OK(status)) {
1728 status = access_check_object(psd, p->server_info->ptok,
1729 NULL, 0, r->in.access_mask,
1730 &acc_granted, "_lsa_CreateAccount");
1731 if (!NT_STATUS_IS_OK(status)) {
1735 if ( is_privileged_sid( r->in.sid ) )
1736 return NT_STATUS_OBJECT_NAME_COLLISION;
1738 /* associate the user/group SID with the (unique) handle. */
1740 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1742 return NT_STATUS_NO_MEMORY;
1745 info->sid = *r->in.sid;
1746 info->access = acc_granted;
1747 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1749 /* get a (unique) handle. open a policy on it. */
1750 if (!create_policy_hnd(p, r->out.acct_handle, info))
1751 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1753 return privilege_create_account( &info->sid );
1756 /***************************************************************************
1758 ***************************************************************************/
1760 NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
1761 struct lsa_OpenAccount *r)
1763 struct lsa_info *handle;
1764 struct lsa_info *info;
1765 struct security_descriptor *psd = NULL;
1767 uint32_t des_access = r->in.access_mask;
1768 uint32_t acc_granted;
1771 /* find the connection policy handle. */
1772 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1773 return NT_STATUS_INVALID_HANDLE;
1775 if (handle->type != LSA_HANDLE_POLICY_TYPE) {
1776 return NT_STATUS_INVALID_HANDLE;
1779 /* des_access is for the account here, not the policy
1780 * handle - so don't check against policy handle. */
1782 /* Work out max allowed. */
1783 map_max_allowed_access(p->server_info->ptok,
1784 &p->server_info->utok,
1787 /* map the generic bits to the lsa account ones */
1788 se_map_generic(&des_access, &lsa_account_mapping);
1790 /* get the generic lsa account SD until we store it */
1791 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
1792 &lsa_account_mapping,
1793 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
1794 if (!NT_STATUS_IS_OK(status)) {
1798 status = access_check_object(psd, p->server_info->ptok,
1799 NULL, 0, des_access,
1800 &acc_granted, "_lsa_OpenAccount" );
1801 if (!NT_STATUS_IS_OK(status)) {
1805 /* TODO: Fis the parsing routine before reenabling this check! */
1807 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1808 return NT_STATUS_ACCESS_DENIED;
1810 /* associate the user/group SID with the (unique) handle. */
1811 info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
1813 return NT_STATUS_NO_MEMORY;
1816 info->sid = *r->in.sid;
1817 info->access = acc_granted;
1818 info->type = LSA_HANDLE_ACCOUNT_TYPE;
1820 /* get a (unique) handle. open a policy on it. */
1821 if (!create_policy_hnd(p, r->out.acct_handle, info))
1822 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1824 return NT_STATUS_OK;
1827 /***************************************************************************
1828 _lsa_EnumPrivsAccount
1829 For a given SID, enumerate all the privilege this account has.
1830 ***************************************************************************/
1832 NTSTATUS _lsa_EnumPrivsAccount(struct pipes_struct *p,
1833 struct lsa_EnumPrivsAccount *r)
1835 NTSTATUS status = NT_STATUS_OK;
1836 struct lsa_info *info=NULL;
1838 PRIVILEGE_SET privileges;
1839 struct lsa_PrivilegeSet *priv_set = NULL;
1840 struct lsa_LUIDAttribute *luid_attrs = NULL;
1843 /* find the connection policy handle. */
1844 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1845 return NT_STATUS_INVALID_HANDLE;
1847 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1848 return NT_STATUS_INVALID_HANDLE;
1851 if (!(info->access & LSA_ACCOUNT_VIEW))
1852 return NT_STATUS_ACCESS_DENIED;
1854 get_privileges_for_sids(&mask, &info->sid, 1);
1856 privilege_set_init( &privileges );
1858 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1860 status = NT_STATUS_NO_MEMORY;
1864 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1866 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1867 sid_string_dbg(&info->sid),
1870 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1871 struct lsa_LUIDAttribute,
1874 status = NT_STATUS_NO_MEMORY;
1878 for (i=0; i<privileges.count; i++) {
1879 luid_attrs[i] = privileges.set[i];
1882 priv_set->count = privileges.count;
1883 priv_set->unknown = 0;
1884 priv_set->set = luid_attrs;
1887 priv_set->count = 0;
1888 priv_set->unknown = 0;
1889 priv_set->set = NULL;
1892 *r->out.privs = priv_set;
1895 privilege_set_free( &privileges );
1900 /***************************************************************************
1901 _lsa_GetSystemAccessAccount
1902 ***************************************************************************/
1904 NTSTATUS _lsa_GetSystemAccessAccount(struct pipes_struct *p,
1905 struct lsa_GetSystemAccessAccount *r)
1908 struct lsa_info *info = NULL;
1909 struct lsa_EnumPrivsAccount e;
1910 struct lsa_PrivilegeSet *privset;
1912 /* find the connection policy handle. */
1914 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1915 return NT_STATUS_INVALID_HANDLE;
1917 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1918 return NT_STATUS_INVALID_HANDLE;
1921 if (!(info->access & LSA_ACCOUNT_VIEW))
1922 return NT_STATUS_ACCESS_DENIED;
1924 privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
1926 return NT_STATUS_NO_MEMORY;
1929 e.in.handle = r->in.handle;
1930 e.out.privs = &privset;
1932 status = _lsa_EnumPrivsAccount(p, &e);
1933 if (!NT_STATUS_IS_OK(status)) {
1934 DEBUG(10,("_lsa_GetSystemAccessAccount: "
1935 "failed to call _lsa_EnumPrivsAccount(): %s\n",
1936 nt_errstr(status)));
1940 /* Samba4 would iterate over the privset to merge the policy mode bits,
1941 * not sure samba3 can do the same here, so just return what we did in
1945 0x01 -> Log on locally
1946 0x02 -> Access this computer from network
1947 0x04 -> Log on as a batch job
1948 0x10 -> Log on as a service
1950 they can be ORed together
1953 *r->out.access_mask = LSA_POLICY_MODE_INTERACTIVE |
1954 LSA_POLICY_MODE_NETWORK;
1956 return NT_STATUS_OK;
1959 /***************************************************************************
1960 update the systemaccount information
1961 ***************************************************************************/
1963 NTSTATUS _lsa_SetSystemAccessAccount(struct pipes_struct *p,
1964 struct lsa_SetSystemAccessAccount *r)
1966 struct lsa_info *info=NULL;
1969 /* find the connection policy handle. */
1970 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1971 return NT_STATUS_INVALID_HANDLE;
1973 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
1974 return NT_STATUS_INVALID_HANDLE;
1977 if (!(info->access & LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)) {
1978 return NT_STATUS_ACCESS_DENIED;
1981 if (!pdb_getgrsid(&map, info->sid))
1982 return NT_STATUS_NO_SUCH_GROUP;
1984 return pdb_update_group_mapping_entry(&map);
1987 /***************************************************************************
1988 _lsa_AddPrivilegesToAccount
1989 For a given SID, add some privileges.
1990 ***************************************************************************/
1992 NTSTATUS _lsa_AddPrivilegesToAccount(struct pipes_struct *p,
1993 struct lsa_AddPrivilegesToAccount *r)
1995 struct lsa_info *info = NULL;
1997 struct lsa_PrivilegeSet *set = NULL;
1999 /* find the connection policy handle. */
2000 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2001 return NT_STATUS_INVALID_HANDLE;
2003 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2004 return NT_STATUS_INVALID_HANDLE;
2007 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2008 return NT_STATUS_ACCESS_DENIED;
2012 if ( !privilege_set_to_se_priv( &mask, set ) )
2013 return NT_STATUS_NO_SUCH_PRIVILEGE;
2015 if ( !grant_privilege( &info->sid, &mask ) ) {
2016 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
2017 sid_string_dbg(&info->sid) ));
2018 DEBUG(3,("Privilege mask: 0x%llx\n", (unsigned long long)mask));
2019 return NT_STATUS_NO_SUCH_PRIVILEGE;
2022 return NT_STATUS_OK;
2025 /***************************************************************************
2026 _lsa_RemovePrivilegesFromAccount
2027 For a given SID, remove some privileges.
2028 ***************************************************************************/
2030 NTSTATUS _lsa_RemovePrivilegesFromAccount(struct pipes_struct *p,
2031 struct lsa_RemovePrivilegesFromAccount *r)
2033 struct lsa_info *info = NULL;
2035 struct lsa_PrivilegeSet *set = NULL;
2037 /* find the connection policy handle. */
2038 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2039 return NT_STATUS_INVALID_HANDLE;
2041 if (info->type != LSA_HANDLE_ACCOUNT_TYPE) {
2042 return NT_STATUS_INVALID_HANDLE;
2045 if (!(info->access & LSA_ACCOUNT_ADJUST_PRIVILEGES)) {
2046 return NT_STATUS_ACCESS_DENIED;
2051 if ( !privilege_set_to_se_priv( &mask, set ) )
2052 return NT_STATUS_NO_SUCH_PRIVILEGE;
2054 if ( !revoke_privilege( &info->sid, &mask ) ) {
2055 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
2056 sid_string_dbg(&info->sid) ));
2057 DEBUG(3,("Privilege mask: 0x%llx\n", (unsigned long long)mask));
2058 return NT_STATUS_NO_SUCH_PRIVILEGE;
2061 return NT_STATUS_OK;
2064 /***************************************************************************
2066 ***************************************************************************/
2068 NTSTATUS _lsa_LookupPrivName(struct pipes_struct *p,
2069 struct lsa_LookupPrivName *r)
2071 struct lsa_info *info = NULL;
2073 struct lsa_StringLarge *lsa_name;
2075 /* find the connection policy handle. */
2076 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2077 return NT_STATUS_INVALID_HANDLE;
2080 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2081 return NT_STATUS_INVALID_HANDLE;
2084 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) {
2085 return NT_STATUS_ACCESS_DENIED;
2088 name = luid_to_privilege_name(r->in.luid);
2090 return NT_STATUS_NO_SUCH_PRIVILEGE;
2093 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
2095 return NT_STATUS_NO_MEMORY;
2098 lsa_name->string = talloc_strdup(lsa_name, name);
2099 if (!lsa_name->string) {
2100 TALLOC_FREE(lsa_name);
2101 return NT_STATUS_NO_MEMORY;
2104 *r->out.name = lsa_name;
2106 return NT_STATUS_OK;
2109 /***************************************************************************
2111 ***************************************************************************/
2113 NTSTATUS _lsa_QuerySecurity(struct pipes_struct *p,
2114 struct lsa_QuerySecurity *r)
2116 struct lsa_info *handle=NULL;
2117 struct security_descriptor *psd = NULL;
2121 /* find the connection policy handle. */
2122 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
2123 return NT_STATUS_INVALID_HANDLE;
2125 switch (handle->type) {
2126 case LSA_HANDLE_POLICY_TYPE:
2127 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2128 &lsa_policy_mapping, NULL, 0);
2130 case LSA_HANDLE_ACCOUNT_TYPE:
2131 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2132 &lsa_account_mapping,
2133 &handle->sid, LSA_ACCOUNT_ALL_ACCESS);
2136 status = NT_STATUS_INVALID_HANDLE;
2140 if (!NT_STATUS_IS_OK(status)) {
2144 *r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd);
2145 if (!*r->out.sdbuf) {
2146 return NT_STATUS_NO_MEMORY;
2152 /***************************************************************************
2153 _lsa_AddAccountRights
2154 ***************************************************************************/
2156 NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
2157 struct lsa_AddAccountRights *r)
2159 struct lsa_info *info = NULL;
2161 uint32_t acc_granted = 0;
2162 struct security_descriptor *psd = NULL;
2167 /* find the connection policy handle. */
2168 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2169 return NT_STATUS_INVALID_HANDLE;
2171 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2172 return NT_STATUS_INVALID_HANDLE;
2175 /* get the generic lsa account SD for this SID until we store it */
2176 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2177 &lsa_account_mapping,
2178 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2179 if (!NT_STATUS_IS_OK(status)) {
2184 * From the MS DOCs. If the sid doesn't exist, ask for LSA_POLICY_CREATE_ACCOUNT
2185 * on the policy handle. If it does, ask for
2186 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2187 * on the account sid. We don't check here so just use the latter. JRA.
2190 status = access_check_object(psd, p->server_info->ptok,
2192 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
2193 &acc_granted, "_lsa_AddAccountRights" );
2194 if (!NT_STATUS_IS_OK(status)) {
2198 /* according to an NT4 PDC, you can add privileges to SIDs even without
2199 call_lsa_create_account() first. And you can use any arbitrary SID. */
2201 sid_copy( &sid, r->in.sid );
2203 for ( i=0; i < r->in.rights->count; i++ ) {
2205 const char *privname = r->in.rights->names[i].string;
2207 /* only try to add non-null strings */
2212 if ( !grant_privilege_by_name( &sid, privname ) ) {
2213 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
2215 return NT_STATUS_NO_SUCH_PRIVILEGE;
2219 return NT_STATUS_OK;
2222 /***************************************************************************
2223 _lsa_RemoveAccountRights
2224 ***************************************************************************/
2226 NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
2227 struct lsa_RemoveAccountRights *r)
2229 struct lsa_info *info = NULL;
2231 struct security_descriptor *psd = NULL;
2234 const char *privname = NULL;
2235 uint32_t acc_granted = 0;
2238 /* find the connection policy handle. */
2239 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2240 return NT_STATUS_INVALID_HANDLE;
2242 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2243 return NT_STATUS_INVALID_HANDLE;
2246 /* get the generic lsa account SD for this SID until we store it */
2247 status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
2248 &lsa_account_mapping,
2249 r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
2250 if (!NT_STATUS_IS_OK(status)) {
2255 * From the MS DOCs. We need
2256 * LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW
2257 * and DELETE on the account sid.
2260 status = access_check_object(psd, p->server_info->ptok,
2262 LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
2263 LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
2264 &acc_granted, "_lsa_RemoveAccountRights");
2265 if (!NT_STATUS_IS_OK(status)) {
2269 sid_copy( &sid, r->in.sid );
2271 if ( r->in.remove_all ) {
2272 if ( !revoke_all_privileges( &sid ) )
2273 return NT_STATUS_ACCESS_DENIED;
2275 return NT_STATUS_OK;
2278 for ( i=0; i < r->in.rights->count; i++ ) {
2280 privname = r->in.rights->names[i].string;
2282 /* only try to add non-null strings */
2287 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2288 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2290 return NT_STATUS_NO_SUCH_PRIVILEGE;
2294 return NT_STATUS_OK;
2297 /*******************************************************************
2298 ********************************************************************/
2300 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2301 struct lsa_RightSet *r,
2302 PRIVILEGE_SET *privileges)
2305 const char *privname;
2306 const char **privname_array = NULL;
2309 for (i=0; i<privileges->count; i++) {
2311 privname = luid_to_privilege_name(&privileges->set[i].luid);
2313 if (!add_string_to_array(mem_ctx, privname,
2314 &privname_array, &num_priv)) {
2315 return NT_STATUS_NO_MEMORY;
2322 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2325 return NT_STATUS_NO_MEMORY;
2328 for (i=0; i<num_priv; i++) {
2329 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2332 r->count = num_priv;
2335 return NT_STATUS_OK;
2338 /***************************************************************************
2339 _lsa_EnumAccountRights
2340 ***************************************************************************/
2342 NTSTATUS _lsa_EnumAccountRights(struct pipes_struct *p,
2343 struct lsa_EnumAccountRights *r)
2346 struct lsa_info *info = NULL;
2348 PRIVILEGE_SET privileges;
2351 /* find the connection policy handle. */
2353 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2354 return NT_STATUS_INVALID_HANDLE;
2356 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2357 return NT_STATUS_INVALID_HANDLE;
2360 if (!(info->access & LSA_ACCOUNT_VIEW)) {
2361 return NT_STATUS_ACCESS_DENIED;
2364 /* according to an NT4 PDC, you can add privileges to SIDs even without
2365 call_lsa_create_account() first. And you can use any arbitrary SID. */
2367 sid_copy( &sid, r->in.sid );
2369 /* according to MS-LSAD 3.1.4.5.10 it is required to return
2370 * NT_STATUS_OBJECT_NAME_NOT_FOUND if the account sid was not found in
2371 * the lsa database */
2373 if (!get_privileges_for_sids(&mask, &sid, 1)) {
2374 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2377 status = privilege_set_init(&privileges);
2378 if (!NT_STATUS_IS_OK(status)) {
2382 se_priv_to_privilege_set(&privileges, &mask);
2384 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2385 sid_string_dbg(&sid), privileges.count));
2387 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2389 privilege_set_free( &privileges );
2394 /***************************************************************************
2395 _lsa_LookupPrivValue
2396 ***************************************************************************/
2398 NTSTATUS _lsa_LookupPrivValue(struct pipes_struct *p,
2399 struct lsa_LookupPrivValue *r)
2401 struct lsa_info *info = NULL;
2402 const char *name = NULL;
2404 /* find the connection policy handle. */
2406 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2407 return NT_STATUS_INVALID_HANDLE;
2409 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2410 return NT_STATUS_INVALID_HANDLE;
2413 if (!(info->access & LSA_POLICY_LOOKUP_NAMES))
2414 return NT_STATUS_ACCESS_DENIED;
2416 name = r->in.name->string;
2418 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2420 r->out.luid->low = sec_privilege_id(name);
2421 r->out.luid->high = 0;
2422 if (r->out.luid->low == -1) {
2423 return NT_STATUS_NO_SUCH_PRIVILEGE;
2425 return NT_STATUS_OK;
2428 /***************************************************************************
2429 _lsa_EnumAccountsWithUserRight
2430 ***************************************************************************/
2432 NTSTATUS _lsa_EnumAccountsWithUserRight(struct pipes_struct *p,
2433 struct lsa_EnumAccountsWithUserRight *r)
2436 struct lsa_info *info = NULL;
2437 struct dom_sid *sids = NULL;
2442 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
2443 return NT_STATUS_INVALID_HANDLE;
2446 if (info->type != LSA_HANDLE_POLICY_TYPE) {
2447 return NT_STATUS_INVALID_HANDLE;
2450 if (!(info->access & LSA_POLICY_LOOKUP_NAMES)) {
2451 return NT_STATUS_ACCESS_DENIED;
2454 if (!r->in.name || !r->in.name->string) {
2455 return NT_STATUS_NO_SUCH_PRIVILEGE;
2458 if (!se_priv_from_name(r->in.name->string, &mask)) {
2459 return NT_STATUS_NO_SUCH_PRIVILEGE;
2462 status = privilege_enum_sids(&mask, p->mem_ctx,
2464 if (!NT_STATUS_IS_OK(status)) {
2468 r->out.sids->num_sids = num_sids;
2469 r->out.sids->sids = talloc_array(p->mem_ctx, struct lsa_SidPtr,
2470 r->out.sids->num_sids);
2472 for (i=0; i < r->out.sids->num_sids; i++) {
2473 r->out.sids->sids[i].sid = sid_dup_talloc(r->out.sids->sids,
2475 if (!r->out.sids->sids[i].sid) {
2476 TALLOC_FREE(r->out.sids->sids);
2477 r->out.sids->num_sids = 0;
2478 return NT_STATUS_NO_MEMORY;
2482 return NT_STATUS_OK;
2485 /***************************************************************************
2487 ***************************************************************************/
2489 NTSTATUS _lsa_Delete(struct pipes_struct *p,
2490 struct lsa_Delete *r)
2492 return NT_STATUS_NOT_SUPPORTED;
2496 * From here on the server routines are just dummy ones to make smbd link with
2497 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2498 * pulling the server stubs across one by one.
2501 NTSTATUS _lsa_SetSecObj(struct pipes_struct *p, struct lsa_SetSecObj *r)
2503 p->rng_fault_state = True;
2504 return NT_STATUS_NOT_IMPLEMENTED;
2507 NTSTATUS _lsa_ChangePassword(struct pipes_struct *p,
2508 struct lsa_ChangePassword *r)
2510 p->rng_fault_state = True;
2511 return NT_STATUS_NOT_IMPLEMENTED;
2514 NTSTATUS _lsa_SetInfoPolicy(struct pipes_struct *p, struct lsa_SetInfoPolicy *r)
2516 p->rng_fault_state = True;
2517 return NT_STATUS_NOT_IMPLEMENTED;
2520 NTSTATUS _lsa_ClearAuditLog(struct pipes_struct *p, struct lsa_ClearAuditLog *r)
2522 p->rng_fault_state = True;
2523 return NT_STATUS_NOT_IMPLEMENTED;
2526 NTSTATUS _lsa_GetQuotasForAccount(struct pipes_struct *p,
2527 struct lsa_GetQuotasForAccount *r)
2529 p->rng_fault_state = True;
2530 return NT_STATUS_NOT_IMPLEMENTED;
2533 NTSTATUS _lsa_SetQuotasForAccount(struct pipes_struct *p,
2534 struct lsa_SetQuotasForAccount *r)
2536 p->rng_fault_state = True;
2537 return NT_STATUS_NOT_IMPLEMENTED;
2540 NTSTATUS _lsa_QueryTrustedDomainInfo(struct pipes_struct *p,
2541 struct lsa_QueryTrustedDomainInfo *r)
2543 p->rng_fault_state = True;
2544 return NT_STATUS_NOT_IMPLEMENTED;
2547 NTSTATUS _lsa_SetInformationTrustedDomain(struct pipes_struct *p,
2548 struct lsa_SetInformationTrustedDomain *r)
2550 p->rng_fault_state = True;
2551 return NT_STATUS_NOT_IMPLEMENTED;
2554 NTSTATUS _lsa_QuerySecret(struct pipes_struct *p, struct lsa_QuerySecret *r)
2556 p->rng_fault_state = True;
2557 return NT_STATUS_NOT_IMPLEMENTED;
2560 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(struct pipes_struct *p,
2561 struct lsa_QueryTrustedDomainInfoBySid *r)
2563 p->rng_fault_state = True;
2564 return NT_STATUS_NOT_IMPLEMENTED;
2567 NTSTATUS _lsa_SetTrustedDomainInfo(struct pipes_struct *p,
2568 struct lsa_SetTrustedDomainInfo *r)
2570 p->rng_fault_state = True;
2571 return NT_STATUS_NOT_IMPLEMENTED;
2574 NTSTATUS _lsa_DeleteTrustedDomain(struct pipes_struct *p,
2575 struct lsa_DeleteTrustedDomain *r)
2577 p->rng_fault_state = True;
2578 return NT_STATUS_NOT_IMPLEMENTED;
2581 NTSTATUS _lsa_StorePrivateData(struct pipes_struct *p,
2582 struct lsa_StorePrivateData *r)
2584 p->rng_fault_state = True;
2585 return NT_STATUS_NOT_IMPLEMENTED;
2588 NTSTATUS _lsa_RetrievePrivateData(struct pipes_struct *p,
2589 struct lsa_RetrievePrivateData *r)
2591 p->rng_fault_state = True;
2592 return NT_STATUS_NOT_IMPLEMENTED;
2595 NTSTATUS _lsa_SetInfoPolicy2(struct pipes_struct *p,
2596 struct lsa_SetInfoPolicy2 *r)
2598 p->rng_fault_state = True;
2599 return NT_STATUS_NOT_IMPLEMENTED;
2602 NTSTATUS _lsa_QueryTrustedDomainInfoByName(struct pipes_struct *p,
2603 struct lsa_QueryTrustedDomainInfoByName *r)
2605 p->rng_fault_state = True;
2606 return NT_STATUS_NOT_IMPLEMENTED;
2609 NTSTATUS _lsa_SetTrustedDomainInfoByName(struct pipes_struct *p,
2610 struct lsa_SetTrustedDomainInfoByName *r)
2612 p->rng_fault_state = True;
2613 return NT_STATUS_NOT_IMPLEMENTED;
2616 NTSTATUS _lsa_EnumTrustedDomainsEx(struct pipes_struct *p,
2617 struct lsa_EnumTrustedDomainsEx *r)
2619 p->rng_fault_state = True;
2620 return NT_STATUS_NOT_IMPLEMENTED;
2623 NTSTATUS _lsa_CreateTrustedDomainEx(struct pipes_struct *p,
2624 struct lsa_CreateTrustedDomainEx *r)
2626 p->rng_fault_state = True;
2627 return NT_STATUS_NOT_IMPLEMENTED;
2630 NTSTATUS _lsa_CloseTrustedDomainEx(struct pipes_struct *p,
2631 struct lsa_CloseTrustedDomainEx *r)
2633 p->rng_fault_state = True;
2634 return NT_STATUS_NOT_IMPLEMENTED;
2637 NTSTATUS _lsa_QueryDomainInformationPolicy(struct pipes_struct *p,
2638 struct lsa_QueryDomainInformationPolicy *r)
2640 p->rng_fault_state = True;
2641 return NT_STATUS_NOT_IMPLEMENTED;
2644 NTSTATUS _lsa_SetDomainInformationPolicy(struct pipes_struct *p,
2645 struct lsa_SetDomainInformationPolicy *r)
2647 p->rng_fault_state = True;
2648 return NT_STATUS_NOT_IMPLEMENTED;
2651 NTSTATUS _lsa_OpenTrustedDomainByName(struct pipes_struct *p,
2652 struct lsa_OpenTrustedDomainByName *r)
2654 p->rng_fault_state = True;
2655 return NT_STATUS_NOT_IMPLEMENTED;
2658 NTSTATUS _lsa_TestCall(struct pipes_struct *p, struct lsa_TestCall *r)
2660 p->rng_fault_state = True;
2661 return NT_STATUS_NOT_IMPLEMENTED;
2664 NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p,
2665 struct lsa_CreateTrustedDomainEx2 *r)
2667 p->rng_fault_state = True;
2668 return NT_STATUS_NOT_IMPLEMENTED;
2671 NTSTATUS _lsa_CREDRWRITE(struct pipes_struct *p, struct lsa_CREDRWRITE *r)
2673 p->rng_fault_state = True;
2674 return NT_STATUS_NOT_IMPLEMENTED;
2677 NTSTATUS _lsa_CREDRREAD(struct pipes_struct *p, struct lsa_CREDRREAD *r)
2679 p->rng_fault_state = True;
2680 return NT_STATUS_NOT_IMPLEMENTED;
2683 NTSTATUS _lsa_CREDRENUMERATE(struct pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2685 p->rng_fault_state = True;
2686 return NT_STATUS_NOT_IMPLEMENTED;
2689 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(struct pipes_struct *p,
2690 struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2692 p->rng_fault_state = True;
2693 return NT_STATUS_NOT_IMPLEMENTED;
2696 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(struct pipes_struct *p,
2697 struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2699 p->rng_fault_state = True;
2700 return NT_STATUS_NOT_IMPLEMENTED;
2703 NTSTATUS _lsa_CREDRDELETE(struct pipes_struct *p, struct lsa_CREDRDELETE *r)
2705 p->rng_fault_state = True;
2706 return NT_STATUS_NOT_IMPLEMENTED;
2709 NTSTATUS _lsa_CREDRGETTARGETINFO(struct pipes_struct *p,
2710 struct lsa_CREDRGETTARGETINFO *r)
2712 p->rng_fault_state = True;
2713 return NT_STATUS_NOT_IMPLEMENTED;
2716 NTSTATUS _lsa_CREDRPROFILELOADED(struct pipes_struct *p,
2717 struct lsa_CREDRPROFILELOADED *r)
2719 p->rng_fault_state = True;
2720 return NT_STATUS_NOT_IMPLEMENTED;
2723 NTSTATUS _lsa_CREDRGETSESSIONTYPES(struct pipes_struct *p,
2724 struct lsa_CREDRGETSESSIONTYPES *r)
2726 p->rng_fault_state = True;
2727 return NT_STATUS_NOT_IMPLEMENTED;
2730 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(struct pipes_struct *p,
2731 struct lsa_LSARREGISTERAUDITEVENT *r)
2733 p->rng_fault_state = True;
2734 return NT_STATUS_NOT_IMPLEMENTED;
2737 NTSTATUS _lsa_LSARGENAUDITEVENT(struct pipes_struct *p,
2738 struct lsa_LSARGENAUDITEVENT *r)
2740 p->rng_fault_state = True;
2741 return NT_STATUS_NOT_IMPLEMENTED;
2744 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(struct pipes_struct *p,
2745 struct lsa_LSARUNREGISTERAUDITEVENT *r)
2747 p->rng_fault_state = True;
2748 return NT_STATUS_NOT_IMPLEMENTED;
2751 NTSTATUS _lsa_lsaRQueryForestTrustInformation(struct pipes_struct *p,
2752 struct lsa_lsaRQueryForestTrustInformation *r)
2754 p->rng_fault_state = True;
2755 return NT_STATUS_NOT_IMPLEMENTED;
2758 NTSTATUS _lsa_lsaRSetForestTrustInformation(struct pipes_struct *p,
2759 struct lsa_lsaRSetForestTrustInformation *r)
2761 p->rng_fault_state = True;
2762 return NT_STATUS_NOT_IMPLEMENTED;
2765 NTSTATUS _lsa_CREDRRENAME(struct pipes_struct *p,
2766 struct lsa_CREDRRENAME *r)
2768 p->rng_fault_state = True;
2769 return NT_STATUS_NOT_IMPLEMENTED;
2772 NTSTATUS _lsa_LSAROPENPOLICYSCE(struct pipes_struct *p,
2773 struct lsa_LSAROPENPOLICYSCE *r)
2775 p->rng_fault_state = True;
2776 return NT_STATUS_NOT_IMPLEMENTED;
2779 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2780 struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2782 p->rng_fault_state = True;
2783 return NT_STATUS_NOT_IMPLEMENTED;
2786 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(struct pipes_struct *p,
2787 struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2789 p->rng_fault_state = True;
2790 return NT_STATUS_NOT_IMPLEMENTED;
2793 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(struct pipes_struct *p,
2794 struct lsa_LSARADTREPORTSECURITYEVENT *r)
2796 p->rng_fault_state = True;
2797 return NT_STATUS_NOT_IMPLEMENTED;