2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001, 2006.
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
13 * Copyright (C) Guenther Deschner 2008.
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 3 of the License, or
18 * (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
43 const struct generic_mapping lsa_generic_mapping = {
50 /***************************************************************************
51 init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
52 ***************************************************************************/
54 static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
55 struct lsa_RefDomainList *ref,
61 if (dom_name != NULL) {
62 for (num = 0; num < ref->count; num++) {
63 if (sid_equal(dom_sid, ref->domains[num].sid)) {
71 if (num >= MAX_REF_DOMAINS) {
72 /* index not found, already at maximum domain limit */
77 ref->max_size = MAX_REF_DOMAINS;
79 ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
80 struct lsa_DomainInfo, ref->count);
85 ZERO_STRUCT(ref->domains[num]);
87 init_lsa_StringLarge(&ref->domains[num].name, dom_name);
88 ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
89 if (!ref->domains[num].sid) {
97 /*******************************************************************
98 Function to free the per handle data.
99 ********************************************************************/
101 static void free_lsa_info(void *ptr)
103 struct lsa_info *lsa = (struct lsa_info *)ptr;
108 /***************************************************************************
109 initialize a lsa_DomainInfo structure.
110 ***************************************************************************/
112 static void init_dom_query_3(struct lsa_DomainInfo *r,
116 init_lsa_StringLarge(&r->name, name);
120 /***************************************************************************
121 initialize a lsa_DomainInfo structure.
122 ***************************************************************************/
124 static void init_dom_query_5(struct lsa_DomainInfo *r,
128 init_lsa_StringLarge(&r->name, name);
132 /***************************************************************************
133 lookup_lsa_rids. Must be called as root for lookup_name to work.
134 ***************************************************************************/
136 static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
137 struct lsa_RefDomainList *ref,
138 struct lsa_TranslatedSid *prid,
139 uint32_t num_entries,
140 struct lsa_String *name,
142 uint32_t *pmapped_count)
144 uint32 mapped_count, i;
146 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
151 for (i = 0; i < num_entries; i++) {
155 const char *full_name;
157 enum lsa_SidType type = SID_NAME_UNKNOWN;
159 /* Split name into domain and user component */
161 full_name = name[i].string;
162 if (full_name == NULL) {
163 return NT_STATUS_NO_MEMORY;
166 DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
168 /* We can ignore the result of lookup_name, it will not touch
169 "type" if it's not successful */
171 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
176 case SID_NAME_DOM_GRP:
177 case SID_NAME_DOMAIN:
179 case SID_NAME_WKN_GRP:
180 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
181 /* Leave these unchanged */
184 /* Don't hand out anything but the list above */
185 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
186 type = SID_NAME_UNKNOWN;
193 if (type != SID_NAME_UNKNOWN) {
194 sid_split_rid(&sid, &rid);
195 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
199 init_lsa_translated_sid(&prid[i], type, rid, dom_idx);
202 *pmapped_count = mapped_count;
206 /***************************************************************************
207 lookup_lsa_sids. Must be called as root for lookup_name to work.
208 ***************************************************************************/
210 static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
211 struct lsa_RefDomainList *ref,
212 struct lsa_TranslatedSid3 *trans_sids,
213 uint32_t num_entries,
214 struct lsa_String *name,
216 uint32 *pmapped_count)
218 uint32 mapped_count, i;
220 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
225 for (i = 0; i < num_entries; i++) {
229 const char *full_name;
231 enum lsa_SidType type = SID_NAME_UNKNOWN;
235 /* Split name into domain and user component */
237 full_name = name[i].string;
238 if (full_name == NULL) {
239 return NT_STATUS_NO_MEMORY;
242 DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
244 /* We can ignore the result of lookup_name, it will not touch
245 "type" if it's not successful */
247 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
252 case SID_NAME_DOM_GRP:
253 case SID_NAME_DOMAIN:
255 case SID_NAME_WKN_GRP:
256 DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
257 /* Leave these unchanged */
260 /* Don't hand out anything but the list above */
261 DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
262 type = SID_NAME_UNKNOWN;
269 if (type != SID_NAME_UNKNOWN) {
271 sid_copy(&domain_sid, &sid);
272 sid_split_rid(&domain_sid, &rid);
273 dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
277 /* Initialize the lsa_TranslatedSid3 return. */
278 trans_sids[i].sid_type = type;
279 trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
280 trans_sids[i].sid_index = dom_idx;
283 *pmapped_count = mapped_count;
287 static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size)
289 DOM_SID local_adm_sid;
297 init_sec_access(&mask, LSA_POLICY_EXECUTE);
298 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
300 sid_copy(&adm_sid, get_global_sam_sid());
301 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
302 init_sec_access(&mask, LSA_POLICY_ALL_ACCESS);
303 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
305 sid_copy(&local_adm_sid, &global_sid_Builtin);
306 sid_append_rid(&local_adm_sid, BUILTIN_ALIAS_RID_ADMINS);
307 init_sec_access(&mask, LSA_POLICY_ALL_ACCESS);
308 init_sec_ace(&ace[2], &local_adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
310 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
311 return NT_STATUS_NO_MEMORY;
313 if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
314 SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
315 psa, sd_size)) == NULL)
316 return NT_STATUS_NO_MEMORY;
321 #if 0 /* AD DC work in ongoing in Samba 4 */
323 /***************************************************************************
325 ***************************************************************************/
327 static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name,
328 const char *dns_name, const char *forest_name,
329 struct GUID *dom_guid, DOM_SID *dom_sid)
331 if (nb_name && *nb_name) {
332 init_unistr2(&r_l->uni_nb_dom_name, nb_name, UNI_FLAGS_NONE);
333 init_uni_hdr(&r_l->hdr_nb_dom_name, &r_l->uni_nb_dom_name);
334 r_l->hdr_nb_dom_name.uni_max_len += 2;
335 r_l->uni_nb_dom_name.uni_max_len += 1;
338 if (dns_name && *dns_name) {
339 init_unistr2(&r_l->uni_dns_dom_name, dns_name, UNI_FLAGS_NONE);
340 init_uni_hdr(&r_l->hdr_dns_dom_name, &r_l->uni_dns_dom_name);
341 r_l->hdr_dns_dom_name.uni_max_len += 2;
342 r_l->uni_dns_dom_name.uni_max_len += 1;
345 if (forest_name && *forest_name) {
346 init_unistr2(&r_l->uni_forest_name, forest_name, UNI_FLAGS_NONE);
347 init_uni_hdr(&r_l->hdr_forest_name, &r_l->uni_forest_name);
348 r_l->hdr_forest_name.uni_max_len += 2;
349 r_l->uni_forest_name.uni_max_len += 1;
352 /* how do we init the guid ? probably should write an init fn */
354 memcpy(&r_l->dom_guid, dom_guid, sizeof(struct GUID));
358 r_l->ptr_dom_sid = 1;
359 init_dom_sid2(&r_l->dom_sid, dom_sid);
362 #endif /* AD DC work in ongoing in Samba 4 */
365 /***************************************************************************
367 ***************************************************************************/
369 NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
370 struct lsa_OpenPolicy2 *r)
372 struct lsa_info *info;
373 SEC_DESC *psd = NULL;
375 uint32 des_access = r->in.access_mask;
380 /* map the generic bits to the lsa policy ones */
381 se_map_generic(&des_access, &lsa_generic_mapping);
383 /* get the generic lsa policy SD until we store it */
384 lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
386 if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
387 if (p->pipe_user.ut.uid != sec_initial_uid()) {
390 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
391 acc_granted, des_access));
392 DEBUGADD(4,("but overwritten by euid == 0\n"));
395 /* This is needed for lsa_open_account and rpcclient .... :-) */
397 if (p->pipe_user.ut.uid == sec_initial_uid())
398 acc_granted = LSA_POLICY_ALL_ACCESS;
400 /* associate the domain SID with the (unique) handle. */
401 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
402 return NT_STATUS_NO_MEMORY;
405 sid_copy(&info->sid,get_global_sam_sid());
406 info->access = acc_granted;
408 /* set up the LSA QUERY INFO response */
409 if (!create_policy_hnd(p, r->out.handle, free_lsa_info, (void *)info))
410 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
415 /***************************************************************************
417 ***************************************************************************/
419 NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
420 struct lsa_OpenPolicy *r)
422 struct lsa_info *info;
423 SEC_DESC *psd = NULL;
425 uint32 des_access= r->in.access_mask;
430 /* map the generic bits to the lsa policy ones */
431 se_map_generic(&des_access, &lsa_generic_mapping);
433 /* get the generic lsa policy SD until we store it */
434 lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
436 if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
437 if (p->pipe_user.ut.uid != sec_initial_uid()) {
440 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
441 acc_granted, des_access));
442 DEBUGADD(4,("but overwritten by euid == 0\n"));
443 acc_granted = des_access;
446 /* associate the domain SID with the (unique) handle. */
447 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
448 return NT_STATUS_NO_MEMORY;
451 sid_copy(&info->sid,get_global_sam_sid());
452 info->access = acc_granted;
454 /* set up the LSA QUERY INFO response */
455 if (!create_policy_hnd(p, r->out.handle, free_lsa_info, (void *)info))
456 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
461 /***************************************************************************
462 _lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
464 ***************************************************************************/
466 NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
467 struct lsa_EnumTrustDom *r)
469 struct lsa_info *info;
471 struct trustdom_info **domains;
472 struct lsa_DomainInfo *lsa_domains = NULL;
476 * preferred length is set to 5 as a "our" preferred length
477 * nt sets this parameter to 2
478 * update (20.08.2002): it's not preferred length, but preferred size!
479 * it needs further investigation how to optimally choose this value
481 uint32 max_num_domains =
482 r->in.max_size < 5 ? r->in.max_size : 10;
487 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
488 return NT_STATUS_INVALID_HANDLE;
490 /* check if the user have enough rights */
491 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
492 return NT_STATUS_ACCESS_DENIED;
495 nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
498 if (!NT_STATUS_IS_OK(nt_status)) {
502 if (*r->in.resume_handle < num_domains) {
503 num_thistime = MIN(num_domains, max_num_domains);
505 nt_status = STATUS_MORE_ENTRIES;
507 if (*r->in.resume_handle + num_thistime > num_domains) {
508 num_thistime = num_domains - *r->in.resume_handle;
509 nt_status = NT_STATUS_OK;
512 next_idx = *r->in.resume_handle + num_thistime;
515 next_idx = 0xffffffff;
516 nt_status = NT_STATUS_NO_MORE_ENTRIES;
519 /* set up the lsa_enum_trust_dom response */
521 lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
524 return NT_STATUS_NO_MEMORY;
527 for (i=0; i<num_thistime; i++) {
528 init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
529 lsa_domains[i].sid = &domains[i]->sid;
532 *r->out.resume_handle = next_idx;
533 r->out.domains->count = num_thistime;
534 r->out.domains->domains = lsa_domains;
539 #define LSA_AUDIT_NUM_CATEGORIES_NT4 7
540 #define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
541 #define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
543 /***************************************************************************
545 ***************************************************************************/
547 NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
548 struct lsa_QueryInfoPolicy *r)
550 NTSTATUS status = NT_STATUS_OK;
551 struct lsa_info *handle;
555 union lsa_PolicyInformation *info = NULL;
557 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
558 return NT_STATUS_INVALID_HANDLE;
560 info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
562 return NT_STATUS_NO_MEMORY;
565 switch (r->in.level) {
569 uint32 policy_def = LSA_AUDIT_POLICY_ALL;
571 /* check if the user have enough rights */
572 if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
573 DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
574 return NT_STATUS_ACCESS_DENIED;
577 /* fake info: We audit everything. ;) */
579 info->audit_events.auditing_mode = true;
580 info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
581 info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
582 enum lsa_PolicyAuditPolicy,
583 info->audit_events.count);
584 if (!info->audit_events.settings) {
585 return NT_STATUS_NO_MEMORY;
588 info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
589 info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
590 info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
591 info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
592 info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
593 info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
594 info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
599 /* check if the user have enough rights */
600 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
601 return NT_STATUS_ACCESS_DENIED;
603 /* Request PolicyPrimaryDomainInformation. */
604 switch (lp_server_role()) {
605 case ROLE_DOMAIN_PDC:
606 case ROLE_DOMAIN_BDC:
607 name = get_global_sam_name();
608 sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
610 return NT_STATUS_NO_MEMORY;
613 case ROLE_DOMAIN_MEMBER:
614 name = lp_workgroup();
615 /* We need to return the Domain SID here. */
616 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
617 sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
619 return NT_STATUS_NO_MEMORY;
622 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
625 case ROLE_STANDALONE:
626 name = lp_workgroup();
630 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
632 init_dom_query_3(&info->domain, name, sid);
635 /* check if the user have enough rights */
636 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
637 return NT_STATUS_ACCESS_DENIED;
639 /* Request PolicyAccountDomainInformation. */
640 name = get_global_sam_name();
641 sid = get_global_sam_sid();
643 init_dom_query_5(&info->account_domain, name, sid);
646 /* check if the user have enough rights */
647 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
648 return NT_STATUS_ACCESS_DENIED;
650 switch (lp_server_role()) {
651 case ROLE_DOMAIN_BDC:
653 * only a BDC is a backup controller
654 * of the domain, it controls.
660 * any other role is a primary
661 * of the domain, it controls.
668 DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
670 status = NT_STATUS_INVALID_INFO_CLASS;
679 /***************************************************************************
680 _lsa_lookup_sids_internal
681 ***************************************************************************/
683 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
685 uint16_t level, /* input */
686 int num_sids, /* input */
687 struct lsa_SidPtr *sid, /* input */
688 struct lsa_RefDomainList **pp_ref, /* input/output */
689 struct lsa_TranslatedName2 **pp_names,/* input/output */
690 uint32_t *pp_mapped_count) /* input/output */
694 const DOM_SID **sids = NULL;
695 struct lsa_RefDomainList *ref = NULL;
696 uint32 mapped_count = 0;
697 struct lsa_dom_info *dom_infos = NULL;
698 struct lsa_name_info *name_infos = NULL;
699 struct lsa_TranslatedName2 *names = NULL;
701 *pp_mapped_count = 0;
709 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
710 ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
712 if (sids == NULL || ref == NULL) {
713 return NT_STATUS_NO_MEMORY;
716 for (i=0; i<num_sids; i++) {
717 sids[i] = sid[i].sid;
720 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
721 &dom_infos, &name_infos);
723 if (!NT_STATUS_IS_OK(status)) {
727 names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
729 return NT_STATUS_NO_MEMORY;
732 for (i=0; i<MAX_REF_DOMAINS; i++) {
734 if (!dom_infos[i].valid) {
738 if (init_lsa_ref_domain_list(mem_ctx, ref,
740 &dom_infos[i].sid) != i) {
741 DEBUG(0, ("Domain %s mentioned twice??\n",
743 return NT_STATUS_INTERNAL_ERROR;
747 for (i=0; i<num_sids; i++) {
748 struct lsa_name_info *name = &name_infos[i];
750 if (name->type == SID_NAME_UNKNOWN) {
753 /* Unknown sids should return the string
754 * representation of the SID. Windows 2003 behaves
755 * rather erratic here, in many cases it returns the
756 * RID as 8 bytes hex, in others it returns the full
757 * SID. We (Jerry/VL) could not figure out which the
758 * hard cases are, so leave it with the SID. */
759 name->name = talloc_asprintf(p->mem_ctx, "%s",
762 if (name->name == NULL) {
763 return NT_STATUS_NO_MEMORY;
769 init_lsa_translated_name2(&names[i], name->type,
770 name->name, name->dom_idx, 0);
773 status = NT_STATUS_NONE_MAPPED;
774 if (mapped_count > 0) {
775 status = (mapped_count < num_sids) ?
776 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
779 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
780 num_sids, mapped_count, nt_errstr(status)));
782 *pp_mapped_count = mapped_count;
789 /***************************************************************************
791 ***************************************************************************/
793 NTSTATUS _lsa_LookupSids(pipes_struct *p,
794 struct lsa_LookupSids *r)
797 struct lsa_info *handle;
798 int num_sids = r->in.sids->num_sids;
799 uint32 mapped_count = 0;
800 struct lsa_RefDomainList *domains = NULL;
801 struct lsa_TranslatedName *names_out = NULL;
802 struct lsa_TranslatedName2 *names = NULL;
805 if ((r->in.level < 1) || (r->in.level > 6)) {
806 return NT_STATUS_INVALID_PARAMETER;
809 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
810 return NT_STATUS_INVALID_HANDLE;
813 /* check if the user has enough rights */
814 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
815 return NT_STATUS_ACCESS_DENIED;
818 if (num_sids > MAX_LOOKUP_SIDS) {
819 DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
820 MAX_LOOKUP_SIDS, num_sids));
821 return NT_STATUS_NONE_MAPPED;
824 status = _lsa_lookup_sids_internal(p,
833 /* Only return here when there is a real error.
834 NT_STATUS_NONE_MAPPED is a special case as it indicates that none of
835 the requested sids could be resolved. Older versions of XP (pre SP3)
836 rely that we return with the string representations of those SIDs in
837 that case. If we don't, XP crashes - Guenther
840 if (NT_STATUS_IS_ERR(status) &&
841 !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
845 /* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
846 names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
849 return NT_STATUS_NO_MEMORY;
852 for (i=0; i<num_sids; i++) {
853 names_out[i].sid_type = names[i].sid_type;
854 names_out[i].name = names[i].name;
855 names_out[i].sid_index = names[i].sid_index;
858 *r->out.domains = domains;
859 r->out.names->count = num_sids;
860 r->out.names->names = names_out;
861 *r->out.count = mapped_count;
866 /***************************************************************************
868 ***************************************************************************/
870 NTSTATUS _lsa_LookupSids2(pipes_struct *p,
871 struct lsa_LookupSids2 *r)
874 struct lsa_info *handle;
875 int num_sids = r->in.sids->num_sids;
876 uint32 mapped_count = 0;
877 struct lsa_RefDomainList *domains = NULL;
878 struct lsa_TranslatedName2 *names = NULL;
879 bool check_policy = true;
881 switch (p->hdr_req.opnum) {
882 case NDR_LSA_LOOKUPSIDS3:
883 check_policy = false;
885 case NDR_LSA_LOOKUPSIDS2:
890 if ((r->in.level < 1) || (r->in.level > 6)) {
891 return NT_STATUS_INVALID_PARAMETER;
895 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
896 return NT_STATUS_INVALID_HANDLE;
899 /* check if the user have enough rights */
900 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
901 return NT_STATUS_ACCESS_DENIED;
905 if (num_sids > MAX_LOOKUP_SIDS) {
906 DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
907 MAX_LOOKUP_SIDS, num_sids));
908 return NT_STATUS_NONE_MAPPED;
911 status = _lsa_lookup_sids_internal(p,
920 *r->out.domains = domains;
921 r->out.names->count = num_sids;
922 r->out.names->names = names;
923 *r->out.count = mapped_count;
928 /***************************************************************************
930 ***************************************************************************/
932 NTSTATUS _lsa_LookupSids3(pipes_struct *p,
933 struct lsa_LookupSids3 *r)
935 struct lsa_LookupSids2 q;
937 /* No policy handle on this call. Restrict to crypto connections. */
938 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
939 DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
940 get_remote_machine_name() ));
941 return NT_STATUS_INVALID_PARAMETER;
945 q.in.sids = r->in.sids;
946 q.in.level = r->in.level;
947 q.in.unknown1 = r->in.unknown1;
948 q.in.unknown2 = r->in.unknown2;
949 q.in.names = r->in.names;
950 q.in.count = r->in.count;
952 q.out.domains = r->out.domains;
953 q.out.names = r->out.names;
954 q.out.count = r->out.count;
956 return _lsa_LookupSids2(p, &q);
959 /***************************************************************************
960 ***************************************************************************/
962 static int lsa_lookup_level_to_flags(uint16 level)
968 flags = LOOKUP_NAME_ALL;
971 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
974 flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
980 flags = LOOKUP_NAME_NONE;
987 /***************************************************************************
989 ***************************************************************************/
991 NTSTATUS _lsa_LookupNames(pipes_struct *p,
992 struct lsa_LookupNames *r)
994 NTSTATUS status = NT_STATUS_NONE_MAPPED;
995 struct lsa_info *handle;
996 struct lsa_String *names = r->in.names;
997 uint32 num_entries = r->in.num_names;
998 struct lsa_RefDomainList *domains = NULL;
999 struct lsa_TranslatedSid *rids = NULL;
1000 uint32 mapped_count = 0;
1003 if (num_entries > MAX_LOOKUP_SIDS) {
1004 num_entries = MAX_LOOKUP_SIDS;
1005 DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
1009 flags = lsa_lookup_level_to_flags(r->in.level);
1011 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1013 return NT_STATUS_NO_MEMORY;
1017 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
1020 return NT_STATUS_NO_MEMORY;
1026 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1027 status = NT_STATUS_INVALID_HANDLE;
1031 /* check if the user have enough rights */
1032 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1033 status = NT_STATUS_ACCESS_DENIED;
1037 /* set up the LSA Lookup RIDs response */
1038 become_root(); /* lookup_name can require root privs */
1039 status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
1040 names, flags, &mapped_count);
1045 if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
1046 if (mapped_count == 0) {
1047 status = NT_STATUS_NONE_MAPPED;
1048 } else if (mapped_count != num_entries) {
1049 status = STATUS_SOME_UNMAPPED;
1053 *r->out.count = mapped_count;
1054 *r->out.domains = domains;
1055 r->out.sids->sids = rids;
1056 r->out.sids->count = num_entries;
1061 /***************************************************************************
1063 ***************************************************************************/
1065 NTSTATUS _lsa_LookupNames2(pipes_struct *p,
1066 struct lsa_LookupNames2 *r)
1069 struct lsa_LookupNames q;
1070 struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
1071 struct lsa_TransSidArray *sid_array = NULL;
1074 sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
1076 return NT_STATUS_NO_MEMORY;
1079 q.in.handle = r->in.handle;
1080 q.in.num_names = r->in.num_names;
1081 q.in.names = r->in.names;
1082 q.in.level = r->in.level;
1083 q.in.sids = sid_array;
1084 q.in.count = r->in.count;
1085 /* we do not know what this is for */
1086 /* = r->in.unknown1; */
1087 /* = r->in.unknown2; */
1089 q.out.domains = r->out.domains;
1090 q.out.sids = sid_array;
1091 q.out.count = r->out.count;
1093 status = _lsa_LookupNames(p, &q);
1095 sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
1096 if (!sid_array2->sids) {
1097 return NT_STATUS_NO_MEMORY;
1100 for (i=0; i<sid_array->count; i++) {
1101 sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
1102 sid_array2->sids[i].rid = sid_array->sids[i].rid;
1103 sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
1104 sid_array2->sids[i].unknown = 0;
1107 r->out.sids = sid_array2;
1112 /***************************************************************************
1114 ***************************************************************************/
1116 NTSTATUS _lsa_LookupNames3(pipes_struct *p,
1117 struct lsa_LookupNames3 *r)
1120 struct lsa_info *handle;
1121 struct lsa_String *names = r->in.names;
1122 uint32 num_entries = r->in.num_names;
1123 struct lsa_RefDomainList *domains = NULL;
1124 struct lsa_TranslatedSid3 *trans_sids = NULL;
1125 uint32 mapped_count = 0;
1127 bool check_policy = true;
1129 switch (p->hdr_req.opnum) {
1130 case NDR_LSA_LOOKUPNAMES4:
1131 check_policy = false;
1133 case NDR_LSA_LOOKUPNAMES3:
1135 check_policy = true;
1138 if (num_entries > MAX_LOOKUP_SIDS) {
1139 num_entries = MAX_LOOKUP_SIDS;
1140 DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
1143 /* Probably the lookup_level is some sort of bitmask. */
1144 if (r->in.level == 1) {
1145 flags = LOOKUP_NAME_ALL;
1148 domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
1150 return NT_STATUS_NO_MEMORY;
1154 trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
1157 return NT_STATUS_NO_MEMORY;
1165 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
1166 status = NT_STATUS_INVALID_HANDLE;
1170 /* check if the user have enough rights */
1171 if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
1172 status = NT_STATUS_ACCESS_DENIED;
1177 /* set up the LSA Lookup SIDs response */
1178 become_root(); /* lookup_name can require root privs */
1179 status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
1180 names, flags, &mapped_count);
1185 if (NT_STATUS_IS_OK(status)) {
1186 if (mapped_count == 0) {
1187 status = NT_STATUS_NONE_MAPPED;
1188 } else if (mapped_count != num_entries) {
1189 status = STATUS_SOME_UNMAPPED;
1193 *r->out.count = mapped_count;
1194 *r->out.domains = domains;
1195 r->out.sids->sids = trans_sids;
1196 r->out.sids->count = num_entries;
1201 /***************************************************************************
1203 ***************************************************************************/
1205 NTSTATUS _lsa_LookupNames4(pipes_struct *p,
1206 struct lsa_LookupNames4 *r)
1208 struct lsa_LookupNames3 q;
1210 /* No policy handle on this call. Restrict to crypto connections. */
1211 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1212 DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
1213 get_remote_machine_name() ));
1214 return NT_STATUS_INVALID_PARAMETER;
1218 q.in.num_names = r->in.num_names;
1219 q.in.names = r->in.names;
1220 q.in.level = r->in.level;
1221 q.in.unknown1 = r->in.unknown1;
1222 q.in.unknown2 = r->in.unknown2;
1223 q.in.sids = r->in.sids;
1224 q.in.count = r->in.count;
1226 q.out.domains = r->out.domains;
1227 q.out.sids = r->out.sids;
1228 q.out.count = r->out.count;
1230 return _lsa_LookupNames3(p, &q);
1233 /***************************************************************************
1234 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
1235 ***************************************************************************/
1237 NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
1239 if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
1240 return NT_STATUS_INVALID_HANDLE;
1243 close_policy_hnd(p, r->in.handle);
1244 ZERO_STRUCTP(r->out.handle);
1245 return NT_STATUS_OK;
1248 /***************************************************************************
1249 ***************************************************************************/
1251 NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
1253 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1256 /***************************************************************************
1257 ***************************************************************************/
1259 NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
1261 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1264 /***************************************************************************
1265 ***************************************************************************/
1267 NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
1269 return NT_STATUS_ACCESS_DENIED;
1272 /***************************************************************************
1273 ***************************************************************************/
1275 NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
1277 return NT_STATUS_ACCESS_DENIED;
1280 /***************************************************************************
1281 ***************************************************************************/
1283 NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
1285 return NT_STATUS_ACCESS_DENIED;
1288 /***************************************************************************
1290 ***************************************************************************/
1292 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
1293 struct lsa_DeleteObject *r)
1295 return NT_STATUS_ACCESS_DENIED;
1298 /***************************************************************************
1300 ***************************************************************************/
1302 NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
1303 struct lsa_EnumPrivs *r)
1305 struct lsa_info *handle;
1307 uint32 enum_context = *r->in.resume_handle;
1308 int num_privs = count_all_privileges();
1309 struct lsa_PrivEntry *entries = NULL;
1312 /* remember that the enum_context starts at 0 and not 1 */
1314 if ( enum_context >= num_privs )
1315 return NT_STATUS_NO_MORE_ENTRIES;
1317 DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
1318 enum_context, num_privs));
1320 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1321 return NT_STATUS_INVALID_HANDLE;
1323 /* check if the user have enough rights
1324 I don't know if it's the right one. not documented. */
1326 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1327 return NT_STATUS_ACCESS_DENIED;
1330 entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
1332 return NT_STATUS_NO_MEMORY;
1338 for (i = 0; i < num_privs; i++) {
1339 if( i < enum_context) {
1341 init_lsa_StringLarge(&entries[i].name, NULL);
1343 entries[i].luid.low = 0;
1344 entries[i].luid.high = 0;
1347 init_lsa_StringLarge(&entries[i].name, privs[i].name);
1349 luid = get_privilege_luid( &privs[i].se_priv );
1351 entries[i].luid.low = luid.luid.low;
1352 entries[i].luid.high = luid.luid.high;
1356 enum_context = num_privs;
1358 *r->out.resume_handle = enum_context;
1359 r->out.privs->count = num_privs;
1360 r->out.privs->privs = entries;
1362 return NT_STATUS_OK;
1365 /***************************************************************************
1366 _lsa_LookupPrivDisplayName
1367 ***************************************************************************/
1369 NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
1370 struct lsa_LookupPrivDisplayName *r)
1372 struct lsa_info *handle;
1373 const char *description;
1374 struct lsa_StringLarge *lsa_name;
1376 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1377 return NT_STATUS_INVALID_HANDLE;
1379 /* check if the user have enough rights */
1382 * I don't know if it's the right one. not documented.
1384 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1385 return NT_STATUS_ACCESS_DENIED;
1387 DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
1389 description = get_privilege_dispname(r->in.name->string);
1391 DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
1392 return NT_STATUS_NO_SUCH_PRIVILEGE;
1395 DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
1397 lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
1399 return NT_STATUS_NO_MEMORY;
1402 init_lsa_StringLarge(lsa_name, description);
1404 *r->out.returned_language_id = r->in.language_id;
1405 *r->out.disp_name = lsa_name;
1407 return NT_STATUS_OK;
1410 /***************************************************************************
1412 ***************************************************************************/
1414 NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
1415 struct lsa_EnumAccounts *r)
1417 struct lsa_info *handle;
1419 int i, j, num_entries;
1421 struct lsa_SidPtr *sids = NULL;
1423 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1424 return NT_STATUS_INVALID_HANDLE;
1426 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1427 return NT_STATUS_ACCESS_DENIED;
1432 /* The only way we can currently find out all the SIDs that have been
1433 privileged is to scan all privileges */
1435 status = privilege_enumerate_accounts(&sid_list, &num_entries);
1436 if (!NT_STATUS_IS_OK(status)) {
1440 if (*r->in.resume_handle >= num_entries) {
1441 return NT_STATUS_NO_MORE_ENTRIES;
1444 if (num_entries - *r->in.resume_handle) {
1445 sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
1446 num_entries - *r->in.resume_handle);
1448 SAFE_FREE(sid_list);
1449 return NT_STATUS_NO_MEMORY;
1452 for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
1453 sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
1455 SAFE_FREE(sid_list);
1456 return NT_STATUS_NO_MEMORY;
1461 talloc_free(sid_list);
1463 *r->out.resume_handle = num_entries;
1464 r->out.sids->num_sids = num_entries;
1465 r->out.sids->sids = sids;
1467 return NT_STATUS_OK;
1470 /***************************************************************************
1472 ***************************************************************************/
1474 NTSTATUS _lsa_GetUserName(pipes_struct *p,
1475 struct lsa_GetUserName *r)
1477 const char *username, *domname;
1478 user_struct *vuser = get_valid_user_struct(p->vuid);
1479 struct lsa_String *account_name = NULL;
1480 struct lsa_String *authority_name = NULL;
1483 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1487 * I'm 99% sure this is not the right place to do this,
1488 * global_sid_Anonymous should probably be put into the token
1489 * instead of the guest id -- vl
1491 if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
1492 &domname, &username, NULL)) {
1493 return NT_STATUS_NO_MEMORY;
1496 username = vuser->user.smb_name;
1497 domname = vuser->user.domain;
1500 account_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_String);
1501 if (!account_name) {
1502 return NT_STATUS_NO_MEMORY;
1505 authority_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_String);
1506 if (!authority_name) {
1507 return NT_STATUS_NO_MEMORY;
1510 init_lsa_String(account_name, username);
1511 init_lsa_String(authority_name, domname);
1513 *r->out.account_name = account_name;
1514 *r->out.authority_name = authority_name;
1516 return NT_STATUS_OK;
1519 /***************************************************************************
1521 ***************************************************************************/
1523 NTSTATUS _lsa_CreateAccount(pipes_struct *p,
1524 struct lsa_CreateAccount *r)
1526 struct lsa_info *handle;
1527 struct lsa_info *info;
1529 /* find the connection policy handle. */
1530 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1531 return NT_STATUS_INVALID_HANDLE;
1533 /* check if the user have enough rights */
1536 * I don't know if it's the right one. not documented.
1537 * but guessed with rpcclient.
1539 if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION))
1540 return NT_STATUS_ACCESS_DENIED;
1542 /* check to see if the pipe_user is a Domain Admin since
1543 account_pol.tdb was already opened as root, this is all we have */
1545 if ( p->pipe_user.ut.uid != sec_initial_uid()
1546 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1547 return NT_STATUS_ACCESS_DENIED;
1549 if ( is_privileged_sid( r->in.sid ) )
1550 return NT_STATUS_OBJECT_NAME_COLLISION;
1552 /* associate the user/group SID with the (unique) handle. */
1554 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
1555 return NT_STATUS_NO_MEMORY;
1558 info->sid = *r->in.sid;
1559 info->access = r->in.access_mask;
1561 /* get a (unique) handle. open a policy on it. */
1562 if (!create_policy_hnd(p, r->out.acct_handle, free_lsa_info, (void *)info))
1563 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1565 return privilege_create_account( &info->sid );
1569 /***************************************************************************
1571 ***************************************************************************/
1573 NTSTATUS _lsa_OpenAccount(pipes_struct *p,
1574 struct lsa_OpenAccount *r)
1576 struct lsa_info *handle;
1577 struct lsa_info *info;
1579 /* find the connection policy handle. */
1580 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1581 return NT_STATUS_INVALID_HANDLE;
1583 /* check if the user have enough rights */
1586 * I don't know if it's the right one. not documented.
1587 * but guessed with rpcclient.
1589 if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION))
1590 return NT_STATUS_ACCESS_DENIED;
1592 /* TODO: Fis the parsing routine before reenabling this check! */
1594 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1595 return NT_STATUS_ACCESS_DENIED;
1597 /* associate the user/group SID with the (unique) handle. */
1598 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
1599 return NT_STATUS_NO_MEMORY;
1602 info->sid = *r->in.sid;
1603 info->access = r->in.access_mask;
1605 /* get a (unique) handle. open a policy on it. */
1606 if (!create_policy_hnd(p, r->out.acct_handle, free_lsa_info, (void *)info))
1607 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1609 return NT_STATUS_OK;
1612 /***************************************************************************
1613 _lsa_EnumPrivsAccount
1614 For a given SID, enumerate all the privilege this account has.
1615 ***************************************************************************/
1617 NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
1618 struct lsa_EnumPrivsAccount *r)
1620 NTSTATUS status = NT_STATUS_OK;
1621 struct lsa_info *info=NULL;
1623 PRIVILEGE_SET privileges;
1624 struct lsa_PrivilegeSet *priv_set = NULL;
1625 struct lsa_LUIDAttribute *luid_attrs = NULL;
1628 /* find the connection policy handle. */
1629 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1630 return NT_STATUS_INVALID_HANDLE;
1632 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1633 return NT_STATUS_ACCESS_DENIED;
1635 if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
1636 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1638 privilege_set_init( &privileges );
1640 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1642 DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
1643 sid_string_dbg(&info->sid),
1646 priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
1648 status = NT_STATUS_NO_MEMORY;
1652 luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
1653 struct lsa_LUIDAttribute,
1656 status = NT_STATUS_NO_MEMORY;
1660 for (i=0; i<privileges.count; i++) {
1661 luid_attrs[i].luid.low = privileges.set[i].luid.low;
1662 luid_attrs[i].luid.high = privileges.set[i].luid.high;
1663 luid_attrs[i].attribute = privileges.set[i].attr;
1666 priv_set->count = privileges.count;
1667 priv_set->unknown = 0;
1668 priv_set->set = luid_attrs;
1670 *r->out.privs = priv_set;
1672 status = NT_STATUS_NO_SUCH_PRIVILEGE;
1676 privilege_set_free( &privileges );
1681 /***************************************************************************
1682 _lsa_GetSystemAccessAccount
1683 ***************************************************************************/
1685 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
1686 struct lsa_GetSystemAccessAccount *r)
1688 struct lsa_info *info=NULL;
1690 /* find the connection policy handle. */
1692 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1693 return NT_STATUS_INVALID_HANDLE;
1695 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1696 return NT_STATUS_ACCESS_DENIED;
1698 if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
1699 return NT_STATUS_ACCESS_DENIED;
1702 0x01 -> Log on locally
1703 0x02 -> Access this computer from network
1704 0x04 -> Log on as a batch job
1705 0x10 -> Log on as a service
1707 they can be ORed together
1710 *r->out.access_mask = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK;
1712 return NT_STATUS_OK;
1715 /***************************************************************************
1716 update the systemaccount information
1717 ***************************************************************************/
1719 NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
1720 struct lsa_SetSystemAccessAccount *r)
1722 struct lsa_info *info=NULL;
1725 /* find the connection policy handle. */
1726 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1727 return NT_STATUS_INVALID_HANDLE;
1729 /* check to see if the pipe_user is a Domain Admin since
1730 account_pol.tdb was already opened as root, this is all we have */
1732 if ( p->pipe_user.ut.uid != sec_initial_uid()
1733 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1734 return NT_STATUS_ACCESS_DENIED;
1736 if (!pdb_getgrsid(&map, info->sid))
1737 return NT_STATUS_NO_SUCH_GROUP;
1739 return pdb_update_group_mapping_entry(&map);
1742 /***************************************************************************
1743 _lsa_AddPrivilegesToAccount
1744 For a given SID, add some privileges.
1745 ***************************************************************************/
1747 NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
1748 struct lsa_AddPrivilegesToAccount *r)
1750 struct lsa_info *info = NULL;
1752 struct lsa_PrivilegeSet *set = NULL;
1754 /* find the connection policy handle. */
1755 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1756 return NT_STATUS_INVALID_HANDLE;
1758 /* check to see if the pipe_user is root or a Domain Admin since
1759 account_pol.tdb was already opened as root, this is all we have */
1761 if ( p->pipe_user.ut.uid != sec_initial_uid()
1762 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1764 return NT_STATUS_ACCESS_DENIED;
1768 if ( !privilege_set_to_se_priv( &mask, set ) )
1769 return NT_STATUS_NO_SUCH_PRIVILEGE;
1771 if ( !grant_privilege( &info->sid, &mask ) ) {
1772 DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
1773 sid_string_dbg(&info->sid) ));
1774 DEBUG(3,("Privilege mask:\n"));
1775 dump_se_priv( DBGC_ALL, 3, &mask );
1776 return NT_STATUS_NO_SUCH_PRIVILEGE;
1779 return NT_STATUS_OK;
1782 /***************************************************************************
1783 _lsa_RemovePrivilegesFromAccount
1784 For a given SID, remove some privileges.
1785 ***************************************************************************/
1787 NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
1788 struct lsa_RemovePrivilegesFromAccount *r)
1790 struct lsa_info *info = NULL;
1792 struct lsa_PrivilegeSet *set = NULL;
1794 /* find the connection policy handle. */
1795 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1796 return NT_STATUS_INVALID_HANDLE;
1798 /* check to see if the pipe_user is root or a Domain Admin since
1799 account_pol.tdb was already opened as root, this is all we have */
1801 if ( p->pipe_user.ut.uid != sec_initial_uid()
1802 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1804 return NT_STATUS_ACCESS_DENIED;
1809 if ( !privilege_set_to_se_priv( &mask, set ) )
1810 return NT_STATUS_NO_SUCH_PRIVILEGE;
1812 if ( !revoke_privilege( &info->sid, &mask ) ) {
1813 DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
1814 sid_string_dbg(&info->sid) ));
1815 DEBUG(3,("Privilege mask:\n"));
1816 dump_se_priv( DBGC_ALL, 3, &mask );
1817 return NT_STATUS_NO_SUCH_PRIVILEGE;
1820 return NT_STATUS_OK;
1823 /***************************************************************************
1825 ***************************************************************************/
1827 NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
1828 struct lsa_QuerySecurity *r)
1830 struct lsa_info *handle=NULL;
1831 SEC_DESC *psd = NULL;
1835 /* find the connection policy handle. */
1836 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
1837 return NT_STATUS_INVALID_HANDLE;
1839 /* check if the user have enough rights */
1840 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1841 return NT_STATUS_ACCESS_DENIED;
1843 switch (r->in.sec_info) {
1845 /* SD contains only the owner */
1847 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1848 if(!NT_STATUS_IS_OK(status))
1849 return NT_STATUS_NO_MEMORY;
1852 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1853 return NT_STATUS_NO_MEMORY;
1856 /* SD contains only the ACL */
1858 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1859 if(!NT_STATUS_IS_OK(status))
1860 return NT_STATUS_NO_MEMORY;
1862 if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1863 return NT_STATUS_NO_MEMORY;
1866 return NT_STATUS_INVALID_LEVEL;
1872 #if 0 /* AD DC work in ongoing in Samba 4 */
1874 /***************************************************************************
1875 ***************************************************************************/
1877 NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_INFO2 *r_u)
1879 struct lsa_info *handle;
1880 const char *nb_name;
1881 char *dns_name = NULL;
1882 char *forest_name = NULL;
1883 DOM_SID *sid = NULL;
1888 r_u->status = NT_STATUS_OK;
1890 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1891 return NT_STATUS_INVALID_HANDLE;
1893 switch (q_u->info_class) {
1895 /* check if the user have enough rights */
1896 if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
1897 return NT_STATUS_ACCESS_DENIED;
1899 /* Request PolicyPrimaryDomainInformation. */
1900 switch (lp_server_role()) {
1901 case ROLE_DOMAIN_PDC:
1902 case ROLE_DOMAIN_BDC:
1903 nb_name = get_global_sam_name();
1904 /* ugly temp hack for these next two */
1906 /* This should be a 'netbios domain -> DNS domain' mapping */
1907 dnsdomname = get_mydnsdomname(p->mem_ctx);
1908 if (!dnsdomname || !*dnsdomname) {
1909 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1911 strlower_m(dnsdomname);
1913 dns_name = dnsdomname;
1914 forest_name = dnsdomname;
1916 sid = get_global_sam_sid();
1917 secrets_fetch_domain_guid(lp_workgroup(), &guid);
1920 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1922 init_dns_dom_info(&r_u->info.dns_dom_info, nb_name, dns_name,
1923 forest_name,&guid,sid);
1926 DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u->info_class));
1927 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
1931 if (NT_STATUS_IS_OK(r_u->status)) {
1933 r_u->info_class = q_u->info_class;
1938 #endif /* AD DC work in ongoing in Samba 4 */
1940 /***************************************************************************
1941 _lsa_AddAccountRights
1942 ***************************************************************************/
1944 NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
1945 struct lsa_AddAccountRights *r)
1947 struct lsa_info *info = NULL;
1951 /* find the connection policy handle. */
1952 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
1953 return NT_STATUS_INVALID_HANDLE;
1955 /* check to see if the pipe_user is a Domain Admin since
1956 account_pol.tdb was already opened as root, this is all we have */
1958 if ( p->pipe_user.ut.uid != sec_initial_uid()
1959 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1961 return NT_STATUS_ACCESS_DENIED;
1964 /* according to an NT4 PDC, you can add privileges to SIDs even without
1965 call_lsa_create_account() first. And you can use any arbitrary SID. */
1967 sid_copy( &sid, r->in.sid );
1969 for ( i=0; i < r->in.rights->count; i++ ) {
1971 const char *privname = r->in.rights->names[i].string;
1973 /* only try to add non-null strings */
1978 if ( !grant_privilege_by_name( &sid, privname ) ) {
1979 DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
1981 return NT_STATUS_NO_SUCH_PRIVILEGE;
1985 return NT_STATUS_OK;
1988 /***************************************************************************
1989 _lsa_RemoveAccountRights
1990 ***************************************************************************/
1992 NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
1993 struct lsa_RemoveAccountRights *r)
1995 struct lsa_info *info = NULL;
1998 const char *privname = NULL;
2000 /* find the connection policy handle. */
2001 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2002 return NT_STATUS_INVALID_HANDLE;
2004 /* check to see if the pipe_user is a Domain Admin since
2005 account_pol.tdb was already opened as root, this is all we have */
2007 if ( p->pipe_user.ut.uid != sec_initial_uid()
2008 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
2010 return NT_STATUS_ACCESS_DENIED;
2013 sid_copy( &sid, r->in.sid );
2015 if ( r->in.remove_all ) {
2016 if ( !revoke_all_privileges( &sid ) )
2017 return NT_STATUS_ACCESS_DENIED;
2019 return NT_STATUS_OK;
2022 for ( i=0; i < r->in.rights->count; i++ ) {
2024 privname = r->in.rights->names[i].string;
2026 /* only try to add non-null strings */
2031 if ( !revoke_privilege_by_name( &sid, privname ) ) {
2032 DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
2034 return NT_STATUS_NO_SUCH_PRIVILEGE;
2038 return NT_STATUS_OK;
2041 /*******************************************************************
2042 ********************************************************************/
2044 static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
2045 struct lsa_RightSet *r,
2046 PRIVILEGE_SET *privileges)
2049 const char *privname;
2050 const char **privname_array = NULL;
2053 for (i=0; i<privileges->count; i++) {
2055 privname = luid_to_privilege_name(&privileges->set[i].luid);
2057 if (!add_string_to_array(mem_ctx, privname,
2058 &privname_array, &num_priv)) {
2059 return NT_STATUS_NO_MEMORY;
2066 r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
2069 return NT_STATUS_NO_MEMORY;
2072 for (i=0; i<num_priv; i++) {
2073 init_lsa_StringLarge(&r->names[i], privname_array[i]);
2076 r->count = num_priv;
2079 return NT_STATUS_OK;
2082 /***************************************************************************
2083 _lsa_EnumAccountRights
2084 ***************************************************************************/
2086 NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
2087 struct lsa_EnumAccountRights *r)
2090 struct lsa_info *info = NULL;
2092 PRIVILEGE_SET privileges;
2095 /* find the connection policy handle. */
2097 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2098 return NT_STATUS_INVALID_HANDLE;
2100 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
2101 return NT_STATUS_ACCESS_DENIED;
2103 /* according to an NT4 PDC, you can add privileges to SIDs even without
2104 call_lsa_create_account() first. And you can use any arbitrary SID. */
2106 sid_copy( &sid, r->in.sid );
2108 if ( !get_privileges_for_sids( &mask, &sid, 1 ) )
2109 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2111 privilege_set_init( &privileges );
2113 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
2115 DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
2116 sid_string_dbg(&sid), privileges.count));
2118 status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
2120 status = NT_STATUS_NO_SUCH_PRIVILEGE;
2123 privilege_set_free( &privileges );
2128 /***************************************************************************
2129 _lsa_LookupPrivValue
2130 ***************************************************************************/
2132 NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
2133 struct lsa_LookupPrivValue *r)
2135 struct lsa_info *info = NULL;
2136 const char *name = NULL;
2137 LUID_ATTR priv_luid;
2140 /* find the connection policy handle. */
2142 if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
2143 return NT_STATUS_INVALID_HANDLE;
2145 if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
2146 return NT_STATUS_ACCESS_DENIED;
2148 name = r->in.name->string;
2150 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
2152 if ( !se_priv_from_name( name, &mask ) )
2153 return NT_STATUS_NO_SUCH_PRIVILEGE;
2155 priv_luid = get_privilege_luid( &mask );
2157 r->out.luid->low = priv_luid.luid.low;
2158 r->out.luid->high = priv_luid.luid.high;
2160 return NT_STATUS_OK;
2164 * From here on the server routines are just dummy ones to make smbd link with
2165 * librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
2166 * pulling the server stubs across one by one.
2169 NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r)
2171 p->rng_fault_state = True;
2172 return NT_STATUS_NOT_IMPLEMENTED;
2175 NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
2177 p->rng_fault_state = True;
2178 return NT_STATUS_NOT_IMPLEMENTED;
2181 NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
2183 p->rng_fault_state = True;
2184 return NT_STATUS_NOT_IMPLEMENTED;
2187 NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
2189 p->rng_fault_state = True;
2190 return NT_STATUS_NOT_IMPLEMENTED;
2193 NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
2195 p->rng_fault_state = True;
2196 return NT_STATUS_NOT_IMPLEMENTED;
2199 NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
2201 p->rng_fault_state = True;
2202 return NT_STATUS_NOT_IMPLEMENTED;
2205 NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
2207 p->rng_fault_state = True;
2208 return NT_STATUS_NOT_IMPLEMENTED;
2211 NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
2213 p->rng_fault_state = True;
2214 return NT_STATUS_NOT_IMPLEMENTED;
2217 NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
2219 p->rng_fault_state = True;
2220 return NT_STATUS_NOT_IMPLEMENTED;
2223 NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
2225 p->rng_fault_state = True;
2226 return NT_STATUS_NOT_IMPLEMENTED;
2229 NTSTATUS _lsa_LookupPrivName(pipes_struct *p, struct lsa_LookupPrivName *r)
2231 p->rng_fault_state = True;
2232 return NT_STATUS_NOT_IMPLEMENTED;
2235 NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p, struct lsa_EnumAccountsWithUserRight *r)
2237 p->rng_fault_state = True;
2238 return NT_STATUS_NOT_IMPLEMENTED;
2241 NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
2243 p->rng_fault_state = True;
2244 return NT_STATUS_NOT_IMPLEMENTED;
2247 NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
2249 p->rng_fault_state = True;
2250 return NT_STATUS_NOT_IMPLEMENTED;
2253 NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
2255 p->rng_fault_state = True;
2256 return NT_STATUS_NOT_IMPLEMENTED;
2259 NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
2261 p->rng_fault_state = True;
2262 return NT_STATUS_NOT_IMPLEMENTED;
2265 NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
2267 p->rng_fault_state = True;
2268 return NT_STATUS_NOT_IMPLEMENTED;
2271 NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p, struct lsa_QueryInfoPolicy2 *r)
2273 p->rng_fault_state = True;
2274 return NT_STATUS_NOT_IMPLEMENTED;
2277 NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
2279 p->rng_fault_state = True;
2280 return NT_STATUS_NOT_IMPLEMENTED;
2283 NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
2285 p->rng_fault_state = True;
2286 return NT_STATUS_NOT_IMPLEMENTED;
2289 NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
2291 p->rng_fault_state = True;
2292 return NT_STATUS_NOT_IMPLEMENTED;
2295 NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
2297 p->rng_fault_state = True;
2298 return NT_STATUS_NOT_IMPLEMENTED;
2301 NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
2303 p->rng_fault_state = True;
2304 return NT_STATUS_NOT_IMPLEMENTED;
2307 NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
2309 p->rng_fault_state = True;
2310 return NT_STATUS_NOT_IMPLEMENTED;
2313 NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
2315 p->rng_fault_state = True;
2316 return NT_STATUS_NOT_IMPLEMENTED;
2319 NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
2321 p->rng_fault_state = True;
2322 return NT_STATUS_NOT_IMPLEMENTED;
2325 NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
2327 p->rng_fault_state = True;
2328 return NT_STATUS_NOT_IMPLEMENTED;
2331 NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
2333 p->rng_fault_state = True;
2334 return NT_STATUS_NOT_IMPLEMENTED;
2337 NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
2339 p->rng_fault_state = True;
2340 return NT_STATUS_NOT_IMPLEMENTED;
2343 NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
2345 p->rng_fault_state = True;
2346 return NT_STATUS_NOT_IMPLEMENTED;
2349 NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
2351 p->rng_fault_state = True;
2352 return NT_STATUS_NOT_IMPLEMENTED;
2355 NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
2357 p->rng_fault_state = True;
2358 return NT_STATUS_NOT_IMPLEMENTED;
2361 NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
2363 p->rng_fault_state = True;
2364 return NT_STATUS_NOT_IMPLEMENTED;
2367 NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
2369 p->rng_fault_state = True;
2370 return NT_STATUS_NOT_IMPLEMENTED;
2373 NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
2375 p->rng_fault_state = True;
2376 return NT_STATUS_NOT_IMPLEMENTED;
2379 NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
2381 p->rng_fault_state = True;
2382 return NT_STATUS_NOT_IMPLEMENTED;
2385 NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
2387 p->rng_fault_state = True;
2388 return NT_STATUS_NOT_IMPLEMENTED;
2391 NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
2393 p->rng_fault_state = True;
2394 return NT_STATUS_NOT_IMPLEMENTED;
2397 NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
2399 p->rng_fault_state = True;
2400 return NT_STATUS_NOT_IMPLEMENTED;
2403 NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
2405 p->rng_fault_state = True;
2406 return NT_STATUS_NOT_IMPLEMENTED;
2409 NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
2411 p->rng_fault_state = True;
2412 return NT_STATUS_NOT_IMPLEMENTED;
2415 NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
2417 p->rng_fault_state = True;
2418 return NT_STATUS_NOT_IMPLEMENTED;
2421 NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
2423 p->rng_fault_state = True;
2424 return NT_STATUS_NOT_IMPLEMENTED;
2427 NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
2429 p->rng_fault_state = True;
2430 return NT_STATUS_NOT_IMPLEMENTED;
2433 NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
2435 p->rng_fault_state = True;
2436 return NT_STATUS_NOT_IMPLEMENTED;
2439 NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
2441 p->rng_fault_state = True;
2442 return NT_STATUS_NOT_IMPLEMENTED;
2445 NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
2447 p->rng_fault_state = True;
2448 return NT_STATUS_NOT_IMPLEMENTED;
2451 NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
2453 p->rng_fault_state = True;
2454 return NT_STATUS_NOT_IMPLEMENTED;
git.samba.org / obnox / samba-ctdb.git / blob