2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Paul Ashton 1997,
7 * Copyright (C) Jeremy Allison 2001,
8 * Copyright (C) Rafal Szczesniak 2002,
9 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
10 * Copyright (C) Simo Sorce 2003.
11 * Copyright (C) Gerald (Jerry) Carter 2005.
12 * Copyright (C) Volker Lendecke 2005.
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 /* This is the implementation of the lsa server code. */
34 #define DBGC_CLASS DBGC_RPC_SRV
43 struct generic_mapping lsa_generic_mapping = {
50 /*******************************************************************
51 Function to free the per handle data.
52 ********************************************************************/
54 static void free_lsa_info(void *ptr)
56 struct lsa_info *lsa = (struct lsa_info *)ptr;
61 /***************************************************************************
63 ***************************************************************************/
65 static void init_dom_query(DOM_QUERY *d_q, const char *dom_name, DOM_SID *dom_sid)
67 d_q->buffer_dom_name = (dom_name != NULL) ? 1 : 0; /* domain buffer pointer */
68 d_q->buffer_dom_sid = (dom_sid != NULL) ? 1 : 0; /* domain sid pointer */
70 /* this string is supposed to be non-null terminated. */
71 /* But the maxlen in this UNISTR2 must include the terminating null. */
72 init_unistr2(&d_q->uni_domain_name, dom_name, UNI_BROKEN_NON_NULL);
75 * I'm not sure why this really odd combination of length
76 * values works, but it does appear to. I need to look at
77 * this *much* more closely - but at the moment leave alone
78 * until it's understood. This allows a W2k client to join
79 * a domain with both odd and even length names... JRA.
84 * The two fields below probably are reversed in meaning, ie.
85 * the first field is probably the str_len, the second the max
86 * len. Both are measured in bytes anyway.
89 d_q->uni_dom_str_len = d_q->uni_domain_name.uni_max_len * 2;
90 d_q->uni_dom_max_len = d_q->uni_domain_name.uni_str_len * 2;
93 init_dom_sid2(&d_q->dom_sid, dom_sid);
96 /***************************************************************************
97 init_dom_ref - adds a domain if it's not already in, returns the index.
98 ***************************************************************************/
100 static int init_dom_ref(DOM_R_REF *ref, const char *dom_name, DOM_SID *dom_sid)
104 if (dom_name != NULL) {
105 for (num = 0; num < ref->num_ref_doms_1; num++) {
106 if (sid_equal(dom_sid, &ref->ref_dom[num].ref_dom.sid))
110 num = ref->num_ref_doms_1;
113 if (num >= MAX_REF_DOMAINS) {
114 /* index not found, already at maximum domain limit */
118 ref->num_ref_doms_1 = num+1;
119 ref->ptr_ref_dom = 1;
120 ref->max_entries = MAX_REF_DOMAINS;
121 ref->num_ref_doms_2 = num+1;
123 ref->hdr_ref_dom[num].ptr_dom_sid = dom_sid != NULL ? 1 : 0;
125 init_unistr2(&ref->ref_dom[num].uni_dom_name, dom_name, UNI_FLAGS_NONE);
126 init_uni_hdr(&ref->hdr_ref_dom[num].hdr_dom_name, &ref->ref_dom[num].uni_dom_name);
128 init_dom_sid2(&ref->ref_dom[num].ref_dom, dom_sid );
133 /***************************************************************************
135 ***************************************************************************/
137 static int init_lsa_rids(TALLOC_CTX *mem_ctx,
138 DOM_R_REF *ref, DOM_RID *prid,
139 int num_entries, UNISTR2 *name,
144 SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
148 become_root(); /* lookup_name can require root privs */
150 for (i = 0; i < num_entries; i++) {
156 enum SID_NAME_USE type = SID_NAME_UNKNOWN;
158 /* Split name into domain and user component */
160 full_name = rpcstr_pull_unistr2_talloc(mem_ctx, &name[i]);
161 if (full_name == NULL) {
162 DEBUG(0, ("pull_ucs2_talloc failed\n"));
166 DEBUG(5, ("init_lsa_rids: looking up name %s\n", full_name));
168 /* We can ignore the result of lookup_name, it will not touch
169 "type" if it's not successful */
171 lookup_name(mem_ctx, full_name, flags, &domain, NULL,
177 case SID_NAME_DOM_GRP:
178 case SID_NAME_DOMAIN:
180 case SID_NAME_WKN_GRP:
181 DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
182 /* Leave these unchanged */
185 /* Don't hand out anything but the list above */
186 DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
187 type = SID_NAME_UNKNOWN;
194 if (type != SID_NAME_UNKNOWN) {
195 sid_split_rid(&sid, &rid);
196 dom_idx = init_dom_ref(ref, domain, &sid);
200 init_dom_rid(&prid[i], rid, type, dom_idx);
208 /***************************************************************************
209 init_reply_lookup_names
210 ***************************************************************************/
212 static void init_reply_lookup_names(LSA_R_LOOKUP_NAMES *r_l,
213 DOM_R_REF *ref, uint32 num_entries,
214 DOM_RID *rid, uint32 mapped_count)
216 r_l->ptr_dom_ref = 1;
219 r_l->num_entries = num_entries;
220 r_l->ptr_entries = 1;
221 r_l->num_entries2 = num_entries;
224 r_l->mapped_count = mapped_count;
227 /***************************************************************************
228 Init_reply_lookup_sids.
229 ***************************************************************************/
231 static void init_reply_lookup_sids2(LSA_R_LOOKUP_SIDS2 *r_l,
233 LSA_TRANS_NAME_ENUM2 *names,
236 r_l->ptr_dom_ref = ref ? 1 : 0;
239 r_l->mapped_count = mapped_count;
242 /***************************************************************************
243 Init_reply_lookup_sids.
244 ***************************************************************************/
246 static void init_reply_lookup_sids3(LSA_R_LOOKUP_SIDS3 *r_l,
248 LSA_TRANS_NAME_ENUM2 *names,
251 r_l->ptr_dom_ref = ref ? 1 : 0;
254 r_l->mapped_count = mapped_count;
257 /***************************************************************************
258 Init_reply_lookup_sids.
259 ***************************************************************************/
261 static NTSTATUS init_reply_lookup_sids(TALLOC_CTX *mem_ctx,
262 LSA_R_LOOKUP_SIDS *r_l,
264 LSA_TRANS_NAME_ENUM2 *names,
267 LSA_TRANS_NAME_ENUM *oldnames = TALLOC_ZERO_P(mem_ctx, LSA_TRANS_NAME_ENUM);
270 return NT_STATUS_NO_MEMORY;
273 oldnames->num_entries = names->num_entries;
274 oldnames->ptr_trans_names = names->ptr_trans_names;
275 oldnames->num_entries2 = names->num_entries2;
276 oldnames->uni_name = names->uni_name;
278 if (names->num_entries) {
281 oldnames->name = TALLOC_ARRAY(oldnames, LSA_TRANS_NAME, names->num_entries);
283 if (!oldnames->name) {
284 return NT_STATUS_NO_MEMORY;
286 for (i = 0; i < names->num_entries; i++) {
287 oldnames->name[i].sid_name_use = names->name[i].sid_name_use;
288 oldnames->name[i].hdr_name = names->name[i].hdr_name;
289 oldnames->name[i].domain_idx = names->name[i].domain_idx;
293 r_l->ptr_dom_ref = ref ? 1 : 0;
295 r_l->names = oldnames;
296 r_l->mapped_count = mapped_count;
300 static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size)
302 DOM_SID local_adm_sid;
310 init_sec_access(&mask, POLICY_EXECUTE);
311 init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
313 sid_copy(&adm_sid, get_global_sam_sid());
314 sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
315 init_sec_access(&mask, POLICY_ALL_ACCESS);
316 init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
318 sid_copy(&local_adm_sid, &global_sid_Builtin);
319 sid_append_rid(&local_adm_sid, BUILTIN_ALIAS_RID_ADMINS);
320 init_sec_access(&mask, POLICY_ALL_ACCESS);
321 init_sec_ace(&ace[2], &local_adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
323 if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
324 return NT_STATUS_NO_MEMORY;
326 if((*sd = make_sec_desc(mem_ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL, psa, sd_size)) == NULL)
327 return NT_STATUS_NO_MEMORY;
332 #if 0 /* AD DC work in ongoing in Samba 4 */
334 /***************************************************************************
336 ***************************************************************************/
338 static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name,
339 const char *dns_name, const char *forest_name,
340 struct uuid *dom_guid, DOM_SID *dom_sid)
342 if (nb_name && *nb_name) {
343 init_unistr2(&r_l->uni_nb_dom_name, nb_name, UNI_FLAGS_NONE);
344 init_uni_hdr(&r_l->hdr_nb_dom_name, &r_l->uni_nb_dom_name);
345 r_l->hdr_nb_dom_name.uni_max_len += 2;
346 r_l->uni_nb_dom_name.uni_max_len += 1;
349 if (dns_name && *dns_name) {
350 init_unistr2(&r_l->uni_dns_dom_name, dns_name, UNI_FLAGS_NONE);
351 init_uni_hdr(&r_l->hdr_dns_dom_name, &r_l->uni_dns_dom_name);
352 r_l->hdr_dns_dom_name.uni_max_len += 2;
353 r_l->uni_dns_dom_name.uni_max_len += 1;
356 if (forest_name && *forest_name) {
357 init_unistr2(&r_l->uni_forest_name, forest_name, UNI_FLAGS_NONE);
358 init_uni_hdr(&r_l->hdr_forest_name, &r_l->uni_forest_name);
359 r_l->hdr_forest_name.uni_max_len += 2;
360 r_l->uni_forest_name.uni_max_len += 1;
363 /* how do we init the guid ? probably should write an init fn */
365 memcpy(&r_l->dom_guid, dom_guid, sizeof(struct uuid));
369 r_l->ptr_dom_sid = 1;
370 init_dom_sid2(&r_l->dom_sid, dom_sid);
373 #endif /* AD DC work in ongoing in Samba 4 */
376 /***************************************************************************
378 ***************************************************************************/
380 NTSTATUS _lsa_open_policy2(pipes_struct *p, LSA_Q_OPEN_POL2 *q_u, LSA_R_OPEN_POL2 *r_u)
382 struct lsa_info *info;
383 SEC_DESC *psd = NULL;
385 uint32 des_access=q_u->des_access;
390 /* map the generic bits to the lsa policy ones */
391 se_map_generic(&des_access, &lsa_generic_mapping);
393 /* get the generic lsa policy SD until we store it */
394 lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
396 if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
397 if (geteuid() != 0) {
400 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
401 acc_granted, des_access));
402 DEBUGADD(4,("but overwritten by euid == 0\n"));
405 /* This is needed for lsa_open_account and rpcclient .... :-) */
408 acc_granted = POLICY_ALL_ACCESS;
410 /* associate the domain SID with the (unique) handle. */
411 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
412 return NT_STATUS_NO_MEMORY;
415 sid_copy(&info->sid,get_global_sam_sid());
416 info->access = acc_granted;
418 /* set up the LSA QUERY INFO response */
419 if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
420 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
425 /***************************************************************************
427 ***************************************************************************/
429 NTSTATUS _lsa_open_policy(pipes_struct *p, LSA_Q_OPEN_POL *q_u, LSA_R_OPEN_POL *r_u)
431 struct lsa_info *info;
432 SEC_DESC *psd = NULL;
434 uint32 des_access=q_u->des_access;
439 /* map the generic bits to the lsa policy ones */
440 se_map_generic(&des_access, &lsa_generic_mapping);
442 /* get the generic lsa policy SD until we store it */
443 lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
445 if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
446 if (geteuid() != 0) {
449 DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
450 acc_granted, des_access));
451 DEBUGADD(4,("but overwritten by euid == 0\n"));
452 acc_granted = des_access;
455 /* associate the domain SID with the (unique) handle. */
456 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
457 return NT_STATUS_NO_MEMORY;
460 sid_copy(&info->sid,get_global_sam_sid());
461 info->access = acc_granted;
463 /* set up the LSA QUERY INFO response */
464 if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
465 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
470 /***************************************************************************
471 _lsa_enum_trust_dom - this needs fixing to do more than return NULL ! JRA.
473 ***************************************************************************/
475 NTSTATUS _lsa_enum_trust_dom(pipes_struct *p, LSA_Q_ENUM_TRUST_DOM *q_u,
476 LSA_R_ENUM_TRUST_DOM *r_u)
478 struct lsa_info *info;
480 struct trustdom_info **domains;
483 * preferred length is set to 5 as a "our" preferred length
484 * nt sets this parameter to 2
485 * update (20.08.2002): it's not preferred length, but preferred size!
486 * it needs further investigation how to optimally choose this value
488 uint32 max_num_domains =
489 q_u->preferred_len < 5 ? q_u->preferred_len : 10;
494 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
495 return NT_STATUS_INVALID_HANDLE;
497 /* check if the user have enough rights */
498 if (!(info->access & POLICY_VIEW_LOCAL_INFORMATION))
499 return NT_STATUS_ACCESS_DENIED;
501 nt_status = secrets_trusted_domains(p->mem_ctx, &num_domains,
504 if (!NT_STATUS_IS_OK(nt_status)) {
508 if (q_u->enum_context < num_domains) {
509 num_thistime = MIN(num_domains, max_num_domains);
511 r_u->status = STATUS_MORE_ENTRIES;
513 if (q_u->enum_context + num_thistime > num_domains) {
514 num_thistime = num_domains - q_u->enum_context;
515 r_u->status = NT_STATUS_OK;
518 next_idx = q_u->enum_context + num_thistime;
521 next_idx = 0xffffffff;
522 r_u->status = NT_STATUS_NO_MORE_ENTRIES;
525 /* set up the lsa_enum_trust_dom response */
527 init_r_enum_trust_dom(p->mem_ctx, r_u, next_idx,
528 num_thistime, domains+q_u->enum_context);
533 /***************************************************************************
534 _lsa_query_info. See the POLICY_INFOMATION_CLASS docs at msdn.
535 ***************************************************************************/
537 NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INFO *r_u)
539 struct lsa_info *handle;
540 LSA_INFO_UNION *info = &r_u->dom;
545 r_u->status = NT_STATUS_OK;
547 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
548 return NT_STATUS_INVALID_HANDLE;
550 switch (q_u->info_class) {
554 /* check if the user have enough rights */
555 if (!(handle->access & POLICY_VIEW_AUDIT_INFORMATION))
556 return NT_STATUS_ACCESS_DENIED;
558 /* fake info: We audit everything. ;) */
559 info->id2.auditing_enabled = 1;
560 info->id2.count1 = 7;
561 info->id2.count2 = 7;
562 if ((info->id2.auditsettings = TALLOC_ARRAY(p->mem_ctx,uint32, 7)) == NULL)
563 return NT_STATUS_NO_MEMORY;
564 for (i = 0; i < 7; i++)
565 info->id2.auditsettings[i] = 3;
569 /* check if the user have enough rights */
570 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
571 return NT_STATUS_ACCESS_DENIED;
573 /* Request PolicyPrimaryDomainInformation. */
574 switch (lp_server_role()) {
575 case ROLE_DOMAIN_PDC:
576 case ROLE_DOMAIN_BDC:
577 name = get_global_sam_name();
578 sid = get_global_sam_sid();
580 case ROLE_DOMAIN_MEMBER:
581 name = lp_workgroup();
582 /* We need to return the Domain SID here. */
583 if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid))
586 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
588 case ROLE_STANDALONE:
589 name = lp_workgroup();
593 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
595 init_dom_query(&r_u->dom.id3, name, sid);
598 /* check if the user have enough rights */
599 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
600 return NT_STATUS_ACCESS_DENIED;
602 /* Request PolicyAccountDomainInformation. */
603 name = get_global_sam_name();
604 sid = get_global_sam_sid();
605 init_dom_query(&r_u->dom.id5, name, sid);
608 /* check if the user have enough rights */
609 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
610 return NT_STATUS_ACCESS_DENIED;
612 switch (lp_server_role()) {
613 case ROLE_DOMAIN_BDC:
615 * only a BDC is a backup controller
616 * of the domain, it controls.
618 info->id6.server_role = 2;
622 * any other role is a primary
623 * of the domain, it controls.
625 info->id6.server_role = 3;
630 DEBUG(0,("_lsa_query_info: unknown info level in Lsa Query: %d\n", q_u->info_class));
631 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
635 if (NT_STATUS_IS_OK(r_u->status)) {
636 r_u->undoc_buffer = 0x22000000; /* bizarre */
637 r_u->info_class = q_u->info_class;
643 /***************************************************************************
644 _lsa_lookup_sids_internal
645 ***************************************************************************/
647 static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
648 uint16 level, /* input */
649 int num_sids, /* input */
650 const DOM_SID2 *sid, /* input */
651 DOM_R_REF **pp_ref, /* output */
652 LSA_TRANS_NAME_ENUM2 **pp_names, /* output */
653 uint32 *pp_mapped_count)
657 const DOM_SID **sids = NULL;
658 LSA_TRANS_NAME_ENUM2 *names = NULL;
659 DOM_R_REF *ref = NULL;
660 uint32 mapped_count = 0;
661 struct lsa_dom_info *dom_infos = NULL;
662 struct lsa_name_info *name_infos = NULL;
664 *pp_mapped_count = 0;
668 names = TALLOC_ZERO_P(p->mem_ctx, LSA_TRANS_NAME_ENUM2);
669 sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
670 ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
672 if (sids == NULL || names == NULL || ref == NULL) {
673 return NT_STATUS_NO_MEMORY;
676 for (i=0; i<num_sids; i++) {
677 sids[i] = &sid[i].sid;
680 status = lookup_sids(p->mem_ctx, num_sids, sids, level,
681 &dom_infos, &name_infos);
683 if (!NT_STATUS_IS_OK(status)) {
688 names->name = TALLOC_ARRAY(names, LSA_TRANS_NAME2, num_sids);
689 names->uni_name = TALLOC_ARRAY(names, UNISTR2, num_sids);
690 if ((names->name == NULL) || (names->uni_name == NULL)) {
691 return NT_STATUS_NO_MEMORY;
695 for (i=0; i<MAX_REF_DOMAINS; i++) {
697 if (!dom_infos[i].valid) {
701 if (init_dom_ref(ref, dom_infos[i].name,
702 &dom_infos[i].sid) != i) {
703 DEBUG(0, ("Domain %s mentioned twice??\n",
705 return NT_STATUS_INTERNAL_ERROR;
709 for (i=0; i<num_sids; i++) {
710 struct lsa_name_info *name = &name_infos[i];
712 if (name->type == SID_NAME_UNKNOWN) {
714 name->name = talloc_asprintf(p->mem_ctx, "%8.8x",
716 if (name->name == NULL) {
717 return NT_STATUS_NO_MEMORY;
722 init_lsa_trans_name2(&names->name[i], &names->uni_name[i],
723 name->type, name->name, name->dom_idx);
726 names->num_entries = num_sids;
727 names->ptr_trans_names = 1;
728 names->num_entries2 = num_sids;
730 status = NT_STATUS_NONE_MAPPED;
731 if (mapped_count > 0) {
732 status = (mapped_count < num_sids) ?
733 STATUS_SOME_UNMAPPED : NT_STATUS_OK;
736 DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
737 num_sids, mapped_count, nt_errstr(status)));
739 *pp_mapped_count = mapped_count;
746 /***************************************************************************
748 ***************************************************************************/
750 NTSTATUS _lsa_lookup_sids(pipes_struct *p,
751 LSA_Q_LOOKUP_SIDS *q_u,
752 LSA_R_LOOKUP_SIDS *r_u)
754 struct lsa_info *handle;
755 int num_sids = q_u->sids.num_entries;
756 uint32 mapped_count = 0;
757 DOM_R_REF *ref = NULL;
758 LSA_TRANS_NAME_ENUM2 *names = NULL;
761 if ((q_u->level < 1) || (q_u->level > 6)) {
762 return NT_STATUS_INVALID_PARAMETER;
765 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
766 return NT_STATUS_INVALID_HANDLE;
769 /* check if the user has enough rights */
770 if (!(handle->access & POLICY_LOOKUP_NAMES)) {
771 return NT_STATUS_ACCESS_DENIED;
774 if (num_sids > MAX_LOOKUP_SIDS) {
775 DEBUG(5,("_lsa_lookup_sids: limit of %d exceeded, requested %d\n",
776 MAX_LOOKUP_SIDS, num_sids));
777 return NT_STATUS_NONE_MAPPED;
780 r_u->status = _lsa_lookup_sids_internal(p,
788 /* Convert from LSA_TRANS_NAME_ENUM2 to LSA_TRANS_NAME_ENUM */
790 status = init_reply_lookup_sids(p->mem_ctx, r_u, ref, names, mapped_count);
791 if (!NT_STATUS_IS_OK(status)) {
797 /***************************************************************************
799 ***************************************************************************/
801 NTSTATUS _lsa_lookup_sids2(pipes_struct *p,
802 LSA_Q_LOOKUP_SIDS2 *q_u,
803 LSA_R_LOOKUP_SIDS2 *r_u)
805 struct lsa_info *handle;
806 int num_sids = q_u->sids.num_entries;
807 uint32 mapped_count = 0;
808 DOM_R_REF *ref = NULL;
809 LSA_TRANS_NAME_ENUM2 *names = NULL;
811 if ((q_u->level < 1) || (q_u->level > 6)) {
812 return NT_STATUS_INVALID_PARAMETER;
815 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
816 return NT_STATUS_INVALID_HANDLE;
819 /* check if the user have enough rights */
820 if (!(handle->access & POLICY_LOOKUP_NAMES)) {
821 return NT_STATUS_ACCESS_DENIED;
824 if (num_sids > MAX_LOOKUP_SIDS) {
825 DEBUG(5,("_lsa_lookup_sids2: limit of %d exceeded, requested %d\n",
826 MAX_LOOKUP_SIDS, num_sids));
827 return NT_STATUS_NONE_MAPPED;
830 r_u->status = _lsa_lookup_sids_internal(p,
838 init_reply_lookup_sids2(r_u, ref, names, mapped_count);
842 /***************************************************************************
844 ***************************************************************************/
846 NTSTATUS _lsa_lookup_sids3(pipes_struct *p,
847 LSA_Q_LOOKUP_SIDS3 *q_u,
848 LSA_R_LOOKUP_SIDS3 *r_u)
850 int num_sids = q_u->sids.num_entries;
851 uint32 mapped_count = 0;
852 DOM_R_REF *ref = NULL;
853 LSA_TRANS_NAME_ENUM2 *names = NULL;
855 if ((q_u->level < 1) || (q_u->level > 6)) {
856 return NT_STATUS_INVALID_PARAMETER;
859 /* No policy handle on this call. Restrict to crypto connections. */
860 if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
861 DEBUG(0,("_lsa_lookup_sids3: client %s not using schannel for netlogon\n",
862 get_remote_machine_name() ));
863 return NT_STATUS_INVALID_PARAMETER;
866 if (num_sids > MAX_LOOKUP_SIDS) {
867 DEBUG(5,("_lsa_lookup_sids3: limit of %d exceeded, requested %d\n",
868 MAX_LOOKUP_SIDS, num_sids));
869 return NT_STATUS_NONE_MAPPED;
872 r_u->status = _lsa_lookup_sids_internal(p,
880 init_reply_lookup_sids3(r_u, ref, names, mapped_count);
884 /***************************************************************************
885 lsa_reply_lookup_names
886 ***************************************************************************/
888 NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP_NAMES *r_u)
890 struct lsa_info *handle;
891 UNISTR2 *names = q_u->uni_name;
892 int num_entries = q_u->num_entries;
895 uint32 mapped_count = 0;
898 if (num_entries > MAX_LOOKUP_SIDS) {
899 num_entries = MAX_LOOKUP_SIDS;
900 DEBUG(5,("_lsa_lookup_names: truncating name lookup list to %d\n", num_entries));
903 /* Probably the lookup_level is some sort of bitmask. */
904 if (q_u->lookup_level == 1) {
905 flags = LOOKUP_NAME_ALL;
908 ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
909 rids = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_RID, num_entries);
911 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle)) {
912 r_u->status = NT_STATUS_INVALID_HANDLE;
916 /* check if the user have enough rights */
917 if (!(handle->access & POLICY_LOOKUP_NAMES)) {
918 r_u->status = NT_STATUS_ACCESS_DENIED;
923 return NT_STATUS_NO_MEMORY;
925 /* set up the LSA Lookup RIDs response */
926 mapped_count = init_lsa_rids(p->mem_ctx, ref, rids, num_entries,
930 if (NT_STATUS_IS_OK(r_u->status)) {
931 if (mapped_count == 0)
932 r_u->status = NT_STATUS_NONE_MAPPED;
933 else if (mapped_count != num_entries)
934 r_u->status = STATUS_SOME_UNMAPPED;
936 init_reply_lookup_names(r_u, ref, num_entries, rids, mapped_count);
941 /***************************************************************************
942 _lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
943 ***************************************************************************/
945 NTSTATUS _lsa_close(pipes_struct *p, LSA_Q_CLOSE *q_u, LSA_R_CLOSE *r_u)
947 if (!find_policy_by_hnd(p, &q_u->pol, NULL))
948 return NT_STATUS_INVALID_HANDLE;
950 close_policy_hnd(p, &q_u->pol);
954 /***************************************************************************
955 ***************************************************************************/
957 NTSTATUS _lsa_open_secret(pipes_struct *p, LSA_Q_OPEN_SECRET *q_u, LSA_R_OPEN_SECRET *r_u)
959 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
962 /***************************************************************************
963 ***************************************************************************/
965 NTSTATUS _lsa_open_trusted_domain(pipes_struct *p, LSA_Q_OPEN_TRUSTED_DOMAIN *q_u, LSA_R_OPEN_TRUSTED_DOMAIN *r_u)
967 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
970 /***************************************************************************
971 ***************************************************************************/
973 NTSTATUS _lsa_create_trusted_domain(pipes_struct *p, LSA_Q_CREATE_TRUSTED_DOMAIN *q_u, LSA_R_CREATE_TRUSTED_DOMAIN *r_u)
975 return NT_STATUS_ACCESS_DENIED;
978 /***************************************************************************
979 ***************************************************************************/
981 NTSTATUS _lsa_create_secret(pipes_struct *p, LSA_Q_CREATE_SECRET *q_u, LSA_R_CREATE_SECRET *r_u)
983 return NT_STATUS_ACCESS_DENIED;
986 /***************************************************************************
987 ***************************************************************************/
989 NTSTATUS _lsa_set_secret(pipes_struct *p, LSA_Q_SET_SECRET *q_u, LSA_R_SET_SECRET *r_u)
991 return NT_STATUS_ACCESS_DENIED;
994 /***************************************************************************
995 ***************************************************************************/
997 NTSTATUS _lsa_delete_object(pipes_struct *p, LSA_Q_DELETE_OBJECT *q_u, LSA_R_DELETE_OBJECT *r_u)
999 return NT_STATUS_ACCESS_DENIED;
1002 /***************************************************************************
1004 ***************************************************************************/
1006 NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIVS *r_u)
1008 struct lsa_info *handle;
1010 uint32 enum_context = q_u->enum_context;
1011 int num_privs = count_all_privileges();
1012 LSA_PRIV_ENTRY *entries = NULL;
1015 /* remember that the enum_context starts at 0 and not 1 */
1017 if ( enum_context >= num_privs )
1018 return NT_STATUS_NO_MORE_ENTRIES;
1020 DEBUG(10,("_lsa_enum_privs: enum_context:%d total entries:%d\n",
1021 enum_context, num_privs));
1023 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1024 return NT_STATUS_INVALID_HANDLE;
1026 /* check if the user have enough rights
1027 I don't know if it's the right one. not documented. */
1029 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1030 return NT_STATUS_ACCESS_DENIED;
1032 if ( !(entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, num_privs )) )
1033 return NT_STATUS_NO_MEMORY;
1035 for (i = 0; i < num_privs; i++) {
1036 if( i < enum_context) {
1037 init_unistr2(&entries[i].name, NULL, UNI_FLAGS_NONE);
1038 init_uni_hdr(&entries[i].hdr_name, &entries[i].name);
1040 entries[i].luid_low = 0;
1041 entries[i].luid_high = 0;
1043 init_unistr2(&entries[i].name, privs[i].name, UNI_FLAGS_NONE);
1044 init_uni_hdr(&entries[i].hdr_name, &entries[i].name);
1046 luid = get_privilege_luid( &privs[i].se_priv );
1048 entries[i].luid_low = luid.luid.low;
1049 entries[i].luid_high = luid.luid.high;
1053 enum_context = num_privs;
1055 init_lsa_r_enum_privs(r_u, enum_context, num_privs, entries);
1057 return NT_STATUS_OK;
1060 /***************************************************************************
1061 _lsa_priv_get_dispname.
1062 ***************************************************************************/
1064 NTSTATUS _lsa_priv_get_dispname(pipes_struct *p, LSA_Q_PRIV_GET_DISPNAME *q_u, LSA_R_PRIV_GET_DISPNAME *r_u)
1066 struct lsa_info *handle;
1068 const char *description;
1070 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1071 return NT_STATUS_INVALID_HANDLE;
1073 /* check if the user have enough rights */
1076 * I don't know if it's the right one. not documented.
1078 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1079 return NT_STATUS_ACCESS_DENIED;
1081 unistr2_to_ascii(name_asc, &q_u->name, sizeof(name_asc));
1083 DEBUG(10,("_lsa_priv_get_dispname: name = %s\n", name_asc));
1085 description = get_privilege_dispname( name_asc );
1087 if ( description ) {
1088 DEBUG(10,("_lsa_priv_get_dispname: display name = %s\n", description));
1090 init_unistr2(&r_u->desc, description, UNI_FLAGS_NONE);
1091 init_uni_hdr(&r_u->hdr_desc, &r_u->desc);
1093 r_u->ptr_info = 0xdeadbeef;
1094 r_u->lang_id = q_u->lang_id;
1096 return NT_STATUS_OK;
1098 DEBUG(10,("_lsa_priv_get_dispname: doesn't exist\n"));
1102 return NT_STATUS_NO_SUCH_PRIVILEGE;
1106 /***************************************************************************
1108 ***************************************************************************/
1110 NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENUM_ACCOUNTS *r_u)
1112 struct lsa_info *handle;
1114 int i, j, num_entries;
1115 LSA_SID_ENUM *sids=&r_u->sids;
1118 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1119 return NT_STATUS_INVALID_HANDLE;
1121 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1122 return NT_STATUS_ACCESS_DENIED;
1127 /* The only way we can currently find out all the SIDs that have been
1128 privileged is to scan all privileges */
1130 if (!NT_STATUS_IS_OK(ret = privilege_enumerate_accounts(&sid_list, &num_entries))) {
1134 if (q_u->enum_context >= num_entries)
1135 return NT_STATUS_NO_MORE_ENTRIES;
1137 sids->ptr_sid = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, num_entries-q_u->enum_context);
1138 sids->sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_entries-q_u->enum_context);
1140 if (sids->ptr_sid==NULL || sids->sid==NULL) {
1141 SAFE_FREE(sid_list);
1142 return NT_STATUS_NO_MEMORY;
1145 for (i = q_u->enum_context, j = 0; i < num_entries; i++, j++) {
1146 init_dom_sid2(&(*sids).sid[j], &sid_list[i]);
1147 (*sids).ptr_sid[j] = 1;
1150 SAFE_FREE(sid_list);
1152 init_lsa_r_enum_accounts(r_u, num_entries);
1154 return NT_STATUS_OK;
1158 NTSTATUS _lsa_unk_get_connuser(pipes_struct *p, LSA_Q_UNK_GET_CONNUSER *q_u, LSA_R_UNK_GET_CONNUSER *r_u)
1160 fstring username, domname;
1161 user_struct *vuser = get_valid_user_struct(p->vuid);
1164 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1166 fstrcpy(username, vuser->user.smb_name);
1167 fstrcpy(domname, vuser->user.domain);
1169 r_u->ptr_user_name = 1;
1170 init_unistr2(&r_u->uni2_user_name, username, UNI_STR_TERMINATE);
1171 init_uni_hdr(&r_u->hdr_user_name, &r_u->uni2_user_name);
1175 r_u->ptr_dom_name = 1;
1176 init_unistr2(&r_u->uni2_dom_name, domname, UNI_STR_TERMINATE);
1177 init_uni_hdr(&r_u->hdr_dom_name, &r_u->uni2_dom_name);
1179 r_u->status = NT_STATUS_OK;
1184 /***************************************************************************
1186 ***************************************************************************/
1188 NTSTATUS _lsa_create_account(pipes_struct *p, LSA_Q_CREATEACCOUNT *q_u, LSA_R_CREATEACCOUNT *r_u)
1190 struct lsa_info *handle;
1191 struct lsa_info *info;
1193 /* find the connection policy handle. */
1194 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1195 return NT_STATUS_INVALID_HANDLE;
1197 /* check if the user have enough rights */
1200 * I don't know if it's the right one. not documented.
1201 * but guessed with rpcclient.
1203 if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION))
1204 return NT_STATUS_ACCESS_DENIED;
1206 /* check to see if the pipe_user is a Domain Admin since
1207 account_pol.tdb was already opened as root, this is all we have */
1209 if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1210 return NT_STATUS_ACCESS_DENIED;
1212 if ( is_privileged_sid( &q_u->sid.sid ) )
1213 return NT_STATUS_OBJECT_NAME_COLLISION;
1215 /* associate the user/group SID with the (unique) handle. */
1217 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
1218 return NT_STATUS_NO_MEMORY;
1221 info->sid = q_u->sid.sid;
1222 info->access = q_u->access;
1224 /* get a (unique) handle. open a policy on it. */
1225 if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
1226 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1228 return privilege_create_account( &info->sid );
1232 /***************************************************************************
1234 ***************************************************************************/
1236 NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENACCOUNT *r_u)
1238 struct lsa_info *handle;
1239 struct lsa_info *info;
1241 /* find the connection policy handle. */
1242 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1243 return NT_STATUS_INVALID_HANDLE;
1245 /* check if the user have enough rights */
1248 * I don't know if it's the right one. not documented.
1249 * but guessed with rpcclient.
1251 if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION))
1252 return NT_STATUS_ACCESS_DENIED;
1254 /* TODO: Fis the parsing routine before reenabling this check! */
1256 if (!lookup_sid(&handle->sid, dom_name, name, &type))
1257 return NT_STATUS_ACCESS_DENIED;
1259 /* associate the user/group SID with the (unique) handle. */
1260 if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
1261 return NT_STATUS_NO_MEMORY;
1264 info->sid = q_u->sid.sid;
1265 info->access = q_u->access;
1267 /* get a (unique) handle. open a policy on it. */
1268 if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
1269 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1271 return NT_STATUS_OK;
1274 /***************************************************************************
1275 For a given SID, enumerate all the privilege this account has.
1276 ***************************************************************************/
1278 NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, prs_struct *ps, LSA_Q_ENUMPRIVSACCOUNT *q_u, LSA_R_ENUMPRIVSACCOUNT *r_u)
1280 struct lsa_info *info=NULL;
1282 PRIVILEGE_SET privileges;
1284 /* find the connection policy handle. */
1285 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1286 return NT_STATUS_INVALID_HANDLE;
1288 if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
1289 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1291 privilege_set_init( &privileges );
1293 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1295 DEBUG(10,("_lsa_enum_privsaccount: %s has %d privileges\n",
1296 sid_string_static(&info->sid), privileges.count));
1298 r_u->status = init_lsa_r_enum_privsaccount(ps->mem_ctx, r_u, privileges.set, privileges.count, 0);
1301 r_u->status = NT_STATUS_NO_SUCH_PRIVILEGE;
1303 privilege_set_free( &privileges );
1308 /***************************************************************************
1310 ***************************************************************************/
1312 NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA_R_GETSYSTEMACCOUNT *r_u)
1314 struct lsa_info *info=NULL;
1316 /* find the connection policy handle. */
1318 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1319 return NT_STATUS_INVALID_HANDLE;
1321 if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
1322 return NT_STATUS_ACCESS_DENIED;
1325 0x01 -> Log on locally
1326 0x02 -> Access this computer from network
1327 0x04 -> Log on as a batch job
1328 0x10 -> Log on as a service
1330 they can be ORed together
1333 r_u->access = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK;
1335 return NT_STATUS_OK;
1338 /***************************************************************************
1339 update the systemaccount information
1340 ***************************************************************************/
1342 NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA_R_SETSYSTEMACCOUNT *r_u)
1344 struct lsa_info *info=NULL;
1346 r_u->status = NT_STATUS_OK;
1348 /* find the connection policy handle. */
1349 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1350 return NT_STATUS_INVALID_HANDLE;
1352 /* check to see if the pipe_user is a Domain Admin since
1353 account_pol.tdb was already opened as root, this is all we have */
1355 if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1356 return NT_STATUS_ACCESS_DENIED;
1358 if (!pdb_getgrsid(&map, info->sid))
1359 return NT_STATUS_NO_SUCH_GROUP;
1361 return pdb_update_group_mapping_entry(&map);
1364 /***************************************************************************
1365 For a given SID, add some privileges.
1366 ***************************************************************************/
1368 NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u)
1370 struct lsa_info *info = NULL;
1372 PRIVILEGE_SET *set = NULL;
1373 struct current_user user;
1375 /* find the connection policy handle. */
1376 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1377 return NT_STATUS_INVALID_HANDLE;
1379 /* check to see if the pipe_user is root or a Domain Admin since
1380 account_pol.tdb was already opened as root, this is all we have */
1382 get_current_user( &user, p );
1383 if ( user.ut.uid != sec_initial_uid()
1384 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1386 return NT_STATUS_ACCESS_DENIED;
1391 if ( !privilege_set_to_se_priv( &mask, set ) )
1392 return NT_STATUS_NO_SUCH_PRIVILEGE;
1394 if ( !grant_privilege( &info->sid, &mask ) ) {
1395 DEBUG(3,("_lsa_addprivs: grant_privilege(%s) failed!\n",
1396 sid_string_static(&info->sid) ));
1397 DEBUG(3,("Privilege mask:\n"));
1398 dump_se_priv( DBGC_ALL, 3, &mask );
1399 return NT_STATUS_NO_SUCH_PRIVILEGE;
1402 return NT_STATUS_OK;
1405 /***************************************************************************
1406 For a given SID, remove some privileges.
1407 ***************************************************************************/
1409 NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEPRIVS *r_u)
1411 struct lsa_info *info = NULL;
1413 PRIVILEGE_SET *set = NULL;
1414 struct current_user user;
1416 /* find the connection policy handle. */
1417 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1418 return NT_STATUS_INVALID_HANDLE;
1420 /* check to see if the pipe_user is root or a Domain Admin since
1421 account_pol.tdb was already opened as root, this is all we have */
1423 get_current_user( &user, p );
1424 if ( user.ut.uid != sec_initial_uid()
1425 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1427 return NT_STATUS_ACCESS_DENIED;
1432 if ( !privilege_set_to_se_priv( &mask, set ) )
1433 return NT_STATUS_NO_SUCH_PRIVILEGE;
1435 if ( !revoke_privilege( &info->sid, &mask ) ) {
1436 DEBUG(3,("_lsa_removeprivs: revoke_privilege(%s) failed!\n",
1437 sid_string_static(&info->sid) ));
1438 DEBUG(3,("Privilege mask:\n"));
1439 dump_se_priv( DBGC_ALL, 3, &mask );
1440 return NT_STATUS_NO_SUCH_PRIVILEGE;
1443 return NT_STATUS_OK;
1446 /***************************************************************************
1447 For a given SID, remove some privileges.
1448 ***************************************************************************/
1450 NTSTATUS _lsa_query_secobj(pipes_struct *p, LSA_Q_QUERY_SEC_OBJ *q_u, LSA_R_QUERY_SEC_OBJ *r_u)
1452 struct lsa_info *handle=NULL;
1453 SEC_DESC *psd = NULL;
1457 r_u->status = NT_STATUS_OK;
1459 /* find the connection policy handle. */
1460 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1461 return NT_STATUS_INVALID_HANDLE;
1463 /* check if the user have enough rights */
1464 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1465 return NT_STATUS_ACCESS_DENIED;
1468 switch (q_u->sec_info) {
1470 /* SD contains only the owner */
1472 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1473 if(!NT_STATUS_IS_OK(status))
1474 return NT_STATUS_NO_MEMORY;
1477 if((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1478 return NT_STATUS_NO_MEMORY;
1481 /* SD contains only the ACL */
1483 status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
1484 if(!NT_STATUS_IS_OK(status))
1485 return NT_STATUS_NO_MEMORY;
1487 if((r_u->buf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
1488 return NT_STATUS_NO_MEMORY;
1491 return NT_STATUS_INVALID_LEVEL;
1499 #if 0 /* AD DC work in ongoing in Samba 4 */
1501 /***************************************************************************
1502 ***************************************************************************/
1504 NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_INFO2 *r_u)
1506 struct lsa_info *handle;
1507 const char *nb_name;
1508 char *dns_name = NULL;
1509 char *forest_name = NULL;
1510 DOM_SID *sid = NULL;
1515 r_u->status = NT_STATUS_OK;
1517 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
1518 return NT_STATUS_INVALID_HANDLE;
1520 switch (q_u->info_class) {
1522 /* check if the user have enough rights */
1523 if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
1524 return NT_STATUS_ACCESS_DENIED;
1526 /* Request PolicyPrimaryDomainInformation. */
1527 switch (lp_server_role()) {
1528 case ROLE_DOMAIN_PDC:
1529 case ROLE_DOMAIN_BDC:
1530 nb_name = get_global_sam_name();
1531 /* ugly temp hack for these next two */
1533 /* This should be a 'netbios domain -> DNS domain' mapping */
1534 dnsdomname[0] = '\0';
1535 get_mydnsdomname(dnsdomname);
1536 strlower_m(dnsdomname);
1538 dns_name = dnsdomname;
1539 forest_name = dnsdomname;
1541 sid = get_global_sam_sid();
1542 secrets_fetch_domain_guid(lp_workgroup(), &guid);
1545 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1547 init_dns_dom_info(&r_u->info.dns_dom_info, nb_name, dns_name,
1548 forest_name,&guid,sid);
1551 DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u->info_class));
1552 r_u->status = NT_STATUS_INVALID_INFO_CLASS;
1556 if (NT_STATUS_IS_OK(r_u->status)) {
1558 r_u->info_class = q_u->info_class;
1563 #endif /* AD DC work in ongoing in Samba 4 */
1565 /***************************************************************************
1566 ***************************************************************************/
1568 NTSTATUS _lsa_add_acct_rights(pipes_struct *p, LSA_Q_ADD_ACCT_RIGHTS *q_u, LSA_R_ADD_ACCT_RIGHTS *r_u)
1570 struct lsa_info *info = NULL;
1574 UNISTR4_ARRAY *uni_privnames = q_u->rights;
1575 struct current_user user;
1578 /* find the connection policy handle. */
1579 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1580 return NT_STATUS_INVALID_HANDLE;
1582 /* check to see if the pipe_user is a Domain Admin since
1583 account_pol.tdb was already opened as root, this is all we have */
1585 get_current_user( &user, p );
1586 if ( user.ut.uid != sec_initial_uid()
1587 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1589 return NT_STATUS_ACCESS_DENIED;
1592 /* according to an NT4 PDC, you can add privileges to SIDs even without
1593 call_lsa_create_account() first. And you can use any arbitrary SID. */
1595 sid_copy( &sid, &q_u->sid.sid );
1597 /* just a little sanity check */
1599 if ( q_u->count != uni_privnames->count ) {
1600 DEBUG(0,("_lsa_add_acct_rights: count != number of UNISTR2 elements!\n"));
1601 return NT_STATUS_INVALID_HANDLE;
1604 for ( i=0; i<q_u->count; i++ ) {
1605 UNISTR4 *uni4_str = &uni_privnames->strings[i];
1607 /* only try to add non-null strings */
1609 if ( !uni4_str->string )
1612 rpcstr_pull( privname, uni4_str->string->buffer, sizeof(privname), -1, STR_TERMINATE );
1614 if ( !grant_privilege_by_name( &sid, privname ) ) {
1615 DEBUG(2,("_lsa_add_acct_rights: Failed to add privilege [%s]\n", privname ));
1616 return NT_STATUS_NO_SUCH_PRIVILEGE;
1620 return NT_STATUS_OK;
1623 /***************************************************************************
1624 ***************************************************************************/
1626 NTSTATUS _lsa_remove_acct_rights(pipes_struct *p, LSA_Q_REMOVE_ACCT_RIGHTS *q_u, LSA_R_REMOVE_ACCT_RIGHTS *r_u)
1628 struct lsa_info *info = NULL;
1632 UNISTR4_ARRAY *uni_privnames = q_u->rights;
1633 struct current_user user;
1636 /* find the connection policy handle. */
1637 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1638 return NT_STATUS_INVALID_HANDLE;
1640 /* check to see if the pipe_user is a Domain Admin since
1641 account_pol.tdb was already opened as root, this is all we have */
1643 get_current_user( &user, p );
1644 if ( user.ut.uid != sec_initial_uid()
1645 && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
1647 return NT_STATUS_ACCESS_DENIED;
1650 sid_copy( &sid, &q_u->sid.sid );
1652 if ( q_u->removeall ) {
1653 if ( !revoke_all_privileges( &sid ) )
1654 return NT_STATUS_ACCESS_DENIED;
1656 return NT_STATUS_OK;
1659 /* just a little sanity check */
1661 if ( q_u->count != uni_privnames->count ) {
1662 DEBUG(0,("_lsa_add_acct_rights: count != number of UNISTR2 elements!\n"));
1663 return NT_STATUS_INVALID_HANDLE;
1666 for ( i=0; i<q_u->count; i++ ) {
1667 UNISTR4 *uni4_str = &uni_privnames->strings[i];
1669 /* only try to add non-null strings */
1671 if ( !uni4_str->string )
1674 rpcstr_pull( privname, uni4_str->string->buffer, sizeof(privname), -1, STR_TERMINATE );
1676 if ( !revoke_privilege_by_name( &sid, privname ) ) {
1677 DEBUG(2,("_lsa_remove_acct_rights: Failed to revoke privilege [%s]\n", privname ));
1678 return NT_STATUS_NO_SUCH_PRIVILEGE;
1682 return NT_STATUS_OK;
1686 /***************************************************************************
1687 ***************************************************************************/
1689 NTSTATUS _lsa_enum_acct_rights(pipes_struct *p, LSA_Q_ENUM_ACCT_RIGHTS *q_u, LSA_R_ENUM_ACCT_RIGHTS *r_u)
1691 struct lsa_info *info = NULL;
1693 PRIVILEGE_SET privileges;
1697 /* find the connection policy handle. */
1699 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1700 return NT_STATUS_INVALID_HANDLE;
1702 /* according to an NT4 PDC, you can add privileges to SIDs even without
1703 call_lsa_create_account() first. And you can use any arbitrary SID. */
1705 sid_copy( &sid, &q_u->sid.sid );
1707 if ( !get_privileges_for_sids( &mask, &sid, 1 ) )
1708 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1710 privilege_set_init( &privileges );
1712 if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
1714 DEBUG(10,("_lsa_enum_acct_rights: %s has %d privileges\n",
1715 sid_string_static(&sid), privileges.count));
1717 r_u->status = init_r_enum_acct_rights( r_u, &privileges );
1720 r_u->status = NT_STATUS_NO_SUCH_PRIVILEGE;
1722 privilege_set_free( &privileges );
1728 /***************************************************************************
1729 ***************************************************************************/
1731 NTSTATUS _lsa_lookup_priv_value(pipes_struct *p, LSA_Q_LOOKUP_PRIV_VALUE *q_u, LSA_R_LOOKUP_PRIV_VALUE *r_u)
1733 struct lsa_info *info = NULL;
1735 LUID_ATTR priv_luid;
1738 /* find the connection policy handle. */
1740 if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
1741 return NT_STATUS_INVALID_HANDLE;
1743 unistr2_to_ascii(name, &q_u->privname.unistring, sizeof(name));
1745 DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
1747 if ( !se_priv_from_name( name, &mask ) )
1748 return NT_STATUS_NO_SUCH_PRIVILEGE;
1750 priv_luid = get_privilege_luid( &mask );
1752 r_u->luid.low = priv_luid.luid.low;
1753 r_u->luid.high = priv_luid.luid.high;
1756 return NT_STATUS_OK;