sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Code
f0b1a1bc9b
samba-mirror/source3/rpc_server/srv_lsa_nt.c

2436 lines
65 KiB
C
Raw Normal View History

r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
/*
Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-30 09:08:46 +03:00
* Unix SMB/CIFS implementation.
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
* RPC Pipe client / server routines
* Copyright (C) Andrew Tridgell 1992-1997,
* Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
* Copyright (C) Paul Ashton 1997,
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
* Copyright (C) Jeremy Allison 2001, 2006.
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
* Copyright (C) Rafal Szczesniak 2002,
r196: merging struct uuid from trunk (This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
2004-04-13 18:39:48 +04:00
* Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
* Copyright (C) Simo Sorce 2003.
r5726: merge LsaLookupPrivValue() code from trunk (This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2005-03-10 21:50:47 +03:00
* Copyright (C) Gerald (Jerry) Carter 2005.
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
* Copyright (C) Volker Lendecke 2005.
Add my copyright. Guenther (This used to be commit d078a8757182d84dfd3307a2e1b751cf173aaa97)
2008-02-27 21:38:48 +03:00
* Copyright (C) Guenther Deschner 2008.
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-07-09 23:25:36 +04:00
* the Free Software Foundation; either version 3 of the License, or
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
* (at your option) any later version.
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
*
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
*
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
* You should have received a copy of the GNU General Public License
r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227)
2007-07-10 09:23:25 +04:00
* along with this program; if not, see <http://www.gnu.org/licenses/>.
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
*/
/* This is the implementation of the lsa server code. */
#include "includes.h"
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
extern PRIVS privs[];
struct lsa_info {
Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-13 02:20:50 +03:00
DOM_SID sid;
uint32 access;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
};
r25534: Apply some const Why? It moves these structs from the data into the text segment, so they will never been copy-on-write copied. Not much, but as in German you say "Kleinvieh macht auch Mist...." (This used to be commit 0141e64ad4972232de867137064d0dae62da22ee)
2007-10-06 01:41:17 +04:00
const struct generic_mapping lsa_generic_mapping = {
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
LSA_POLICY_READ,
LSA_POLICY_WRITE,
LSA_POLICY_EXECUTE,
LSA_POLICY_ALL_ACCESS
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
};
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
/***************************************************************************
init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index.
***************************************************************************/
static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx,
struct lsa_RefDomainList *ref,
const char *dom_name,
DOM_SID *dom_sid)
{
int num = 0;
if (dom_name != NULL) {
for (num = 0; num < ref->count; num++) {
if (sid_equal(dom_sid, ref->domains[num].sid)) {
return num;
}
}
} else {
num = ref->count;
}
if (num >= MAX_REF_DOMAINS) {
/* index not found, already at maximum domain limit */
return -1;
}
ref->count = num + 1;
ref->max_size = MAX_REF_DOMAINS;
ref->domains = TALLOC_REALLOC_ARRAY(mem_ctx, ref->domains,
struct lsa_DomainInfo, ref->count);
if (!ref->domains) {
return -1;
}
Zero more structs initially in LSA rpc server. Guenther (This used to be commit d7ce643285276790a65faff76666498595a508d7)
2008-03-04 13:06:02 +03:00
ZERO_STRUCT(ref->domains[num]);
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
init_lsa_StringLarge(&ref->domains[num].name, dom_name);
ref->domains[num].sid = sid_dup_talloc(mem_ctx, dom_sid);
if (!ref->domains[num].sid) {
return -1;
}
return num;
}
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
/*******************************************************************
Function to free the per handle data.
********************************************************************/
static void free_lsa_info(void *ptr)
{
struct lsa_info *lsa = (struct lsa_info *)ptr;
Oops... Andrew Bartlett (This used to be commit 898ff89632a394ff32fd38f1c4e94412388fa8bd)
2003-04-22 12:50:20 +04:00
SAFE_FREE(lsa);
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
}
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
/***************************************************************************
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
initialize a lsa_DomainInfo structure.
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
***************************************************************************/
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
static void init_dom_query_3(struct lsa_DomainInfo *r,
const char *name,
DOM_SID *sid)
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
{
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
init_lsa_StringLarge(&r->name, name);
r->sid = sid;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
r15041: Adding rpc client calls to manipulate auditing policies on remote CIFS servers. Also add a new "net rpc audit" tool. The lsa query infolevels were taken from samb4 IDL, the lsa policy flags and categories are partly documented on msdn. I need to cleanup the double lsa_query_info_policy{2}{_new} calls next. Guenther (This used to be commit 0fed66926f4b72444abfc8ffb8c46cca8d0600aa)
2006-04-11 19:47:24 +04:00
/***************************************************************************
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
initialize a lsa_DomainInfo structure.
r15041: Adding rpc client calls to manipulate auditing policies on remote CIFS servers. Also add a new "net rpc audit" tool. The lsa query infolevels were taken from samb4 IDL, the lsa policy flags and categories are partly documented on msdn. I need to cleanup the double lsa_query_info_policy{2}{_new} calls next. Guenther (This used to be commit 0fed66926f4b72444abfc8ffb8c46cca8d0600aa)
2006-04-11 19:47:24 +04:00
***************************************************************************/
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
static void init_dom_query_5(struct lsa_DomainInfo *r,
const char *name,
DOM_SID *sid)
r15041: Adding rpc client calls to manipulate auditing policies on remote CIFS servers. Also add a new "net rpc audit" tool. The lsa query infolevels were taken from samb4 IDL, the lsa policy flags and categories are partly documented on msdn. I need to cleanup the double lsa_query_info_policy{2}{_new} calls next. Guenther (This used to be commit 0fed66926f4b72444abfc8ffb8c46cca8d0600aa)
2006-04-11 19:47:24 +04:00
{
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
init_lsa_StringLarge(&r->name, name);
r->sid = sid;
r15041: Adding rpc client calls to manipulate auditing policies on remote CIFS servers. Also add a new "net rpc audit" tool. The lsa query infolevels were taken from samb4 IDL, the lsa policy flags and categories are partly documented on msdn. I need to cleanup the double lsa_query_info_policy{2}{_new} calls next. Guenther (This used to be commit 0fed66926f4b72444abfc8ffb8c46cca8d0600aa)
2006-04-11 19:47:24 +04:00
}
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
/***************************************************************************
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
lookup_lsa_rids. Must be called as root for lookup_name to work.
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
***************************************************************************/
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
struct lsa_RefDomainList *ref,
struct lsa_TranslatedSid *prid,
uint32_t num_entries,
struct lsa_String *name,
int flags,
uint32_t *pmapped_count)
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
{
r13553: Fix all our warnings at -O6 on an x86_64 box. Jeremy. (This used to be commit ea82958349a57ef4b7ce9638eec5f1388b0fba2a)
2006-02-18 03:27:31 +03:00
uint32 mapped_count, i;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
mapped_count = 0;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
*pmapped_count = 0;
Move the lsa code across to the changed args for lookup_name, and surround it in become_root()/unbecome_root(). Also only allocate the memory the client reqests - and don't allow the client to trigger an SMB_ASSERT if they ask for 'more'. Up the maximum number of sids allowed, and note that this is an arbiary guess, and can be raised without consequence. Andrew Bartlett (This used to be commit 6e7667125d142670db7393ed7a48386f3821d896)
2002-01-26 13:02:23 +03:00
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
for (i = 0; i < num_entries; i++) {
DOM_SID sid;
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
uint32 rid;
int dom_idx;
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
const char *full_name;
r12163: Change lookup_sid and lookup_name to return const char * instead of char *, use a temporary talloc_ctx for clarity. Volker (This used to be commit b15815c804bf3e558ed6357b5e9a6e3e0fac777f)
2005-12-10 14:22:01 +03:00
const char *domain;
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type = SID_NAME_UNKNOWN;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
/* Split name into domain and user component */
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
full_name = name[i].string;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (full_name == NULL) {
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
return NT_STATUS_NO_MEMORY;
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
}
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
/* We can ignore the result of lookup_name, it will not touch
"type" if it's not successful */
r91: Fix lsalookupnames. Previously we'd fail if we didn't find the name, but we never checked if it was a domain user and didn't find a local one. (This used to be commit 68022f5ebc55d1f3403dee5198d364cff300baf5)
2004-04-07 02:02:47 +04:00
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
lookup_name(mem_ctx, full_name, flags, &domain, NULL,
&sid, &type);
r116: volker's patch for local group and group nesting (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-04-07 16:43:44 +04:00
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
switch (type) {
case SID_NAME_USER:
case SID_NAME_DOM_GRP:
case SID_NAME_DOMAIN:
case SID_NAME_ALIAS:
case SID_NAME_WKN_GRP:
r13455: Prepare to add lookupnames2. Jeremy. (This used to be commit 2274709587bd1f27bea2eacf633182f20cd07b1e)
2006-02-11 05:46:41 +03:00
DEBUG(5, ("init_lsa_rids: %s found\n", full_name));
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
/* Leave these unchanged */
break;
default:
/* Don't hand out anything but the list above */
r13455: Prepare to add lookupnames2. Jeremy. (This used to be commit 2274709587bd1f27bea2eacf633182f20cd07b1e)
2006-02-11 05:46:41 +03:00
DEBUG(5, ("init_lsa_rids: %s not found\n", full_name));
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
type = SID_NAME_UNKNOWN;
break;
}
rid = 0;
dom_idx = -1;
if (type != SID_NAME_UNKNOWN) {
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
sid_split_rid(&sid, &rid);
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &sid);
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
mapped_count++;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
init_lsa_translated_sid(&prid[i], type, rid, dom_idx);
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
Move the lsa code across to the changed args for lookup_name, and surround it in become_root()/unbecome_root(). Also only allocate the memory the client reqests - and don't allow the client to trigger an SMB_ASSERT if they ask for 'more'. Up the maximum number of sids allowed, and note that this is an arbiary guess, and can be raised without consequence. Andrew Bartlett (This used to be commit 6e7667125d142670db7393ed7a48386f3821d896)
2002-01-26 13:02:23 +03:00
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
*pmapped_count = mapped_count;
return NT_STATUS_OK;
}
/***************************************************************************
lookup_lsa_sids. Must be called as root for lookup_name to work.
***************************************************************************/
static NTSTATUS lookup_lsa_sids(TALLOC_CTX *mem_ctx,
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
struct lsa_RefDomainList *ref,
struct lsa_TranslatedSid3 *trans_sids,
uint32_t num_entries,
struct lsa_String *name,
int flags,
uint32 *pmapped_count)
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
{
r13553: Fix all our warnings at -O6 on an x86_64 box. Jeremy. (This used to be commit ea82958349a57ef4b7ce9638eec5f1388b0fba2a)
2006-02-18 03:27:31 +03:00
uint32 mapped_count, i;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
SMB_ASSERT(num_entries <= MAX_LOOKUP_SIDS);
mapped_count = 0;
*pmapped_count = 0;
for (i = 0; i < num_entries; i++) {
DOM_SID sid;
uint32 rid;
int dom_idx;
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
const char *full_name;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
const char *domain;
r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2006-09-08 18:28:06 +04:00
enum lsa_SidType type = SID_NAME_UNKNOWN;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
Zero more structs initially in LSA rpc server. Guenther (This used to be commit d7ce643285276790a65faff76666498595a508d7)
2008-03-04 13:06:02 +03:00
ZERO_STRUCT(sid);
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
/* Split name into domain and user component */
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
full_name = name[i].string;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
if (full_name == NULL) {
return NT_STATUS_NO_MEMORY;
}
DEBUG(5, ("init_lsa_sids: looking up name %s\n", full_name));
/* We can ignore the result of lookup_name, it will not touch
"type" if it's not successful */
lookup_name(mem_ctx, full_name, flags, &domain, NULL,
&sid, &type);
switch (type) {
case SID_NAME_USER:
case SID_NAME_DOM_GRP:
case SID_NAME_DOMAIN:
case SID_NAME_ALIAS:
case SID_NAME_WKN_GRP:
DEBUG(5, ("init_lsa_sids: %s found\n", full_name));
/* Leave these unchanged */
break;
default:
/* Don't hand out anything but the list above */
DEBUG(5, ("init_lsa_sids: %s not found\n", full_name));
type = SID_NAME_UNKNOWN;
break;
}
rid = 0;
dom_idx = -1;
if (type != SID_NAME_UNKNOWN) {
DOM_SID domain_sid;
sid_copy(&domain_sid, &sid);
sid_split_rid(&domain_sid, &rid);
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
dom_idx = init_lsa_ref_domain_list(mem_ctx, ref, domain, &domain_sid);
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
mapped_count++;
}
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
/* Initialize the lsa_TranslatedSid3 return. */
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
trans_sids[i].sid_type = type;
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
trans_sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
trans_sids[i].sid_index = dom_idx;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
}
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
*pmapped_count = mapped_count;
return NT_STATUS_OK;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *sd_size)
{
DOM_SID local_adm_sid;
DOM_SID adm_sid;
SEC_ACE ace[3];
SEC_ACL *psa = NULL;
Remove SEC_ACCESS. It's a uint32_t. Jeremy.
2008-10-09 20:49:03 +04:00
init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_EXECUTE, 0);
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
sid_copy(&adm_sid, get_global_sam_sid());
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
Remove SEC_ACCESS. It's a uint32_t. Jeremy.
2008-10-09 20:49:03 +04:00
init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_ALL_ACCESS, 0);
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
sid_copy(&local_adm_sid, &global_sid_Builtin);
sid_append_rid(&local_adm_sid, BUILTIN_ALIAS_RID_ADMINS);
Remove SEC_ACCESS. It's a uint32_t. Jeremy.
2008-10-09 20:49:03 +04:00
init_sec_ace(&ace[2], &local_adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, LSA_POLICY_ALL_ACCESS, 0);
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
if((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
return NT_STATUS_NO_MEMORY;
Some C++ fixes (This used to be commit 5c392c4c6e277a24d0d477902dc7856b2b46ee53)
2007-12-21 00:27:01 +03:00
if((*sd = make_sec_desc(mem_ctx, SECURITY_DESCRIPTOR_REVISION_1,
SEC_DESC_SELF_RELATIVE, &adm_sid, NULL, NULL,
psa, sd_size)) == NULL)
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_NO_MEMORY;
return NT_STATUS_OK;
}
r5726: merge LsaLookupPrivValue() code from trunk (This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2005-03-10 21:50:47 +03:00
#if 0 /* AD DC work in ongoing in Samba 4 */
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
/***************************************************************************
Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-13 02:20:50 +03:00
Init_dns_dom_info.
***************************************************************************/
static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name,
const char *dns_name, const char *forest_name,
r18680: Fix last struct uuids (in uncommented code). Guenther (This used to be commit 41c79ee5accb13f73d1f65b303d723ca2ff49933)
2006-09-19 21:29:31 +04:00
struct GUID *dom_guid, DOM_SID *dom_sid)
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
{
if (nb_name && *nb_name) {
Fix for #480. Change the interface for init_unistr2 to not take a length but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string. This is not the case. Count it after conversion. Jeremy. (This used to be commit f82c273a42f930c7152cfab84394781744815e0e)
2003-09-26 01:26:16 +04:00
init_unistr2(&r_l->uni_nb_dom_name, nb_name, UNI_FLAGS_NONE);
init_uni_hdr(&r_l->hdr_nb_dom_name, &r_l->uni_nb_dom_name);
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
r_l->hdr_nb_dom_name.uni_max_len += 2;
r_l->uni_nb_dom_name.uni_max_len += 1;
}
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
if (dns_name && *dns_name) {
Fix for #480. Change the interface for init_unistr2 to not take a length but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string. This is not the case. Count it after conversion. Jeremy. (This used to be commit f82c273a42f930c7152cfab84394781744815e0e)
2003-09-26 01:26:16 +04:00
init_unistr2(&r_l->uni_dns_dom_name, dns_name, UNI_FLAGS_NONE);
init_uni_hdr(&r_l->hdr_dns_dom_name, &r_l->uni_dns_dom_name);
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
r_l->hdr_dns_dom_name.uni_max_len += 2;
r_l->uni_dns_dom_name.uni_max_len += 1;
}
if (forest_name && *forest_name) {
Fix for #480. Change the interface for init_unistr2 to not take a length but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string. This is not the case. Count it after conversion. Jeremy. (This used to be commit f82c273a42f930c7152cfab84394781744815e0e)
2003-09-26 01:26:16 +04:00
init_unistr2(&r_l->uni_forest_name, forest_name, UNI_FLAGS_NONE);
init_uni_hdr(&r_l->hdr_forest_name, &r_l->uni_forest_name);
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
r_l->hdr_forest_name.uni_max_len += 2;
r_l->uni_forest_name.uni_max_len += 1;
}
/* how do we init the guid ? probably should write an init fn */
if (dom_guid) {
r18680: Fix last struct uuids (in uncommented code). Guenther (This used to be commit 41c79ee5accb13f73d1f65b303d723ca2ff49933)
2006-09-19 21:29:31 +04:00
memcpy(&r_l->dom_guid, dom_guid, sizeof(struct GUID));
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
}
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
if (dom_sid) {
r_l->ptr_dom_sid = 1;
init_dom_sid2(&r_l->dom_sid, dom_sid);
}
}
r5726: merge LsaLookupPrivValue() code from trunk (This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2005-03-10 21:50:47 +03:00
#endif /* AD DC work in ongoing in Samba 4 */
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
/***************************************************************************
Use pidl for _lsa_OpenPolicy2(). Guenther (This used to be commit fc29364abe10d3ec249602cb3437e50294f5de76)
2008-02-04 23:00:38 +03:00
_lsa_OpenPolicy2
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
***************************************************************************/
Use pidl for _lsa_OpenPolicy2(). Guenther (This used to be commit fc29364abe10d3ec249602cb3437e50294f5de76)
2008-02-04 23:00:38 +03:00
NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
struct lsa_OpenPolicy2 *r)
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
{
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
struct lsa_info *info;
SEC_DESC *psd = NULL;
size_t sd_size;
Use pidl for _lsa_OpenPolicy2(). Guenther (This used to be commit fc29364abe10d3ec249602cb3437e50294f5de76)
2008-02-04 23:00:38 +03:00
uint32 des_access = r->in.access_mask;
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
uint32 acc_granted;
NTSTATUS status;
/* map the generic bits to the lsa policy ones */
se_map_generic(&des_access, &lsa_generic_mapping);
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
r17194: To run rpc-samba3-lsa in the build farm, we can't rely on geteuid()==0. Adapt it to other "Am I root?" checks. Jerry, Jeremy, please check this! Thanks, Volker (This used to be commit f777b2d294f7258e676976d7807adbb644c85a2f)
2006-07-23 00:46:02 +04:00
if (p->pipe_user.ut.uid != sec_initial_uid()) {
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
return status;
}
DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
acc_granted, des_access));
DEBUGADD(4,("but overwritten by euid == 0\n"));
}
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
/* This is needed for lsa_open_account and rpcclient .... :-) */
r17194: To run rpc-samba3-lsa in the build farm, we can't rely on geteuid()==0. Adapt it to other "Am I root?" checks. Jerry, Jeremy, please check this! Thanks, Volker (This used to be commit f777b2d294f7258e676976d7807adbb644c85a2f)
2006-07-23 00:46:02 +04:00
if (p->pipe_user.ut.uid == sec_initial_uid())
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
acc_granted = LSA_POLICY_ALL_ACCESS;
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
/* associate the domain SID with the (unique) handle. */
r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2004-12-07 21:25:53 +03:00
if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_NO_MEMORY;
ZERO_STRUCTP(info);
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
sid_copy(&info->sid,get_global_sam_sid());
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
info->access = acc_granted;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
/* set up the LSA QUERY INFO response */
Use pidl for _lsa_OpenPolicy2(). Guenther (This used to be commit fc29364abe10d3ec249602cb3437e50294f5de76)
2008-02-04 23:00:38 +03:00
if (!create_policy_hnd(p, r->out.handle, free_lsa_info, (void *)info))
Merge of new 2.2 code into HEAD (Gerald I hate you :-) :-). Allows new SAMR RPC code to merge with new passdb code. Currently rpcclient doesn't compile. I'm working on it... Jeremy. (This used to be commit 0be41d5158ea4e645e93e8cd30617c038416e549)
2001-03-11 03:32:10 +03:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
converted another bunch of stuff to NTSTATUS (This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e)
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
/***************************************************************************
Use pidl for _lsa_OpenPolicy(). Guenther (This used to be commit b6b226e6365477f855de1e549ef32df452838031)
2008-02-04 23:00:16 +03:00
_lsa_OpenPolicy
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
***************************************************************************/
Use pidl for _lsa_OpenPolicy(). Guenther (This used to be commit b6b226e6365477f855de1e549ef32df452838031)
2008-02-04 23:00:16 +03:00
NTSTATUS _lsa_OpenPolicy(pipes_struct *p,
struct lsa_OpenPolicy *r)
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
{
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
struct lsa_info *info;
SEC_DESC *psd = NULL;
size_t sd_size;
Use pidl for _lsa_OpenPolicy(). Guenther (This used to be commit b6b226e6365477f855de1e549ef32df452838031)
2008-02-04 23:00:16 +03:00
uint32 des_access= r->in.access_mask;
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
uint32 acc_granted;
NTSTATUS status;
/* map the generic bits to the lsa policy ones */
se_map_generic(&des_access, &lsa_generic_mapping);
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
Unify access checks for lsa server functions. Jeremy.
2008-10-18 02:24:15 +04:00
if (p->pipe_user.ut.uid != sec_initial_uid()) {
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
return status;
}
DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
acc_granted, des_access));
DEBUGADD(4,("but overwritten by euid == 0\n"));
acc_granted = des_access;
}
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
/* associate the domain SID with the (unique) handle. */
r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2004-12-07 21:25:53 +03:00
if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_NO_MEMORY;
ZERO_STRUCTP(info);
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
sid_copy(&info->sid,get_global_sam_sid());
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
info->access = acc_granted;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
/* set up the LSA QUERY INFO response */
Use pidl for _lsa_OpenPolicy(). Guenther (This used to be commit b6b226e6365477f855de1e549ef32df452838031)
2008-02-04 23:00:16 +03:00
if (!create_policy_hnd(p, r->out.handle, free_lsa_info, (void *)info))
Merge of new 2.2 code into HEAD (Gerald I hate you :-) :-). Allows new SAMR RPC code to merge with new passdb code. Currently rpcclient doesn't compile. I'm working on it... Jeremy. (This used to be commit 0be41d5158ea4e645e93e8cd30617c038416e549)
2001-03-11 03:32:10 +03:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
converted another bunch of stuff to NTSTATUS (This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e)
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
/***************************************************************************
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
_lsa_EnumTrustDom - this needs fixing to do more than return NULL ! JRA.
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
ufff, done :) mimir
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
***************************************************************************/
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
struct lsa_EnumTrustDom *r)
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
{
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
struct lsa_info *info;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
uint32 next_idx;
struct trustdom_info **domains;
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
struct lsa_DomainInfo *lsa_domains = NULL;
int i;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
/*
* preferred length is set to 5 as a "our" preferred length
* nt sets this parameter to 2
sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-09-25 19:19:00 +04:00
* update (20.08.2002): it's not preferred length, but preferred size!
* it needs further investigation how to optimally choose this value
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
*/
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
uint32 max_num_domains =
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
r->in.max_size < 5 ? r->in.max_size : 10;
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
uint32 num_domains;
NTSTATUS nt_status;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
uint32 num_thistime;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
Merge of new 2.2 code into HEAD (Gerald I hate you :-) :-). Allows new SAMR RPC code to merge with new passdb code. Currently rpcclient doesn't compile. I'm working on it... Jeremy. (This used to be commit 0be41d5158ea4e645e93e8cd30617c038416e549)
2001-03-11 03:32:10 +03:00
return NT_STATUS_INVALID_HANDLE;
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_ACCESS_DENIED;
Fix bug 5500 -- thanks to mathion at thorrovydeti.com for reporting (cherry picked from commit 996c3ce6f0dbe79b0679ae30afd873c24fe5b1eb) (This used to be commit 1f86c7a2a19e66948c9b51572d3c078b6e03ef52)
2008-06-16 15:27:16 +04:00
become_root();
r20824: Send access to the trusted domain passwords through the pdb backend, so that in the next step we can store them in LDAP to be replicated across DCs. Thanks to Michael Adam <ma@sernet.de> Volker (This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
2007-01-16 11:17:26 +03:00
nt_status = pdb_enum_trusteddoms(p->mem_ctx, &num_domains, &domains);
Fix bug 5500 -- thanks to mathion at thorrovydeti.com for reporting (cherry picked from commit 996c3ce6f0dbe79b0679ae30afd873c24fe5b1eb) (This used to be commit 1f86c7a2a19e66948c9b51572d3c078b6e03ef52)
2008-06-16 15:27:16 +04:00
unbecome_root();
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (!NT_STATUS_IS_OK(nt_status)) {
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
return nt_status;
}
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
if (*r->in.resume_handle < num_domains) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
num_thistime = MIN(num_domains, max_num_domains);
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
nt_status = STATUS_MORE_ENTRIES;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
if (*r->in.resume_handle + num_thistime > num_domains) {
num_thistime = num_domains - *r->in.resume_handle;
nt_status = NT_STATUS_OK;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
next_idx = *r->in.resume_handle + num_thistime;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
} else {
num_thistime = 0;
next_idx = 0xffffffff;
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
nt_status = NT_STATUS_NO_MORE_ENTRIES;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-15 14:35:28 +04:00
/* set up the lsa_enum_trust_dom response */
r6228: remove BUFHDR2 and clean up LsaEnumTrustedDomains() Tested client and server code. (This used to be commit efb3ac4c69c72c0fa01c558951fa357893562bce)
2005-04-07 02:27:55 +04:00
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
lsa_domains = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_DomainInfo,
num_thistime);
if (!lsa_domains) {
return NT_STATUS_NO_MEMORY;
}
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
Use pidl for _lsa_EnumTrustDom() Guenther (This used to be commit 1f45079907d03116b48b55d616281ed4359a66d8)
2008-02-13 02:02:21 +03:00
for (i=0; i<num_thistime; i++) {
init_lsa_StringLarge(&lsa_domains[i].name, domains[i]->name);
lsa_domains[i].sid = &domains[i]->sid;
}
*r->out.resume_handle = next_idx;
r->out.domains->count = num_thistime;
r->out.domains->domains = lsa_domains;
return nt_status;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
Move LSA_AUDIT_NUM_CATEGORIES defines to lsa rpc_server. Guenther (This used to be commit 9e7d32e28ce40ff158f3705354e8673f99b462bc)
2008-02-27 18:14:27 +03:00
#define LSA_AUDIT_NUM_CATEGORIES_NT4 7
#define LSA_AUDIT_NUM_CATEGORIES_WIN2K 9
#define LSA_AUDIT_NUM_CATEGORIES LSA_AUDIT_NUM_CATEGORIES_NT4
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
/***************************************************************************
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
_lsa_QueryInfoPolicy
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
***************************************************************************/
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
NTSTATUS _lsa_QueryInfoPolicy(pipes_struct *p,
struct lsa_QueryInfoPolicy *r)
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
{
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
NTSTATUS status = NT_STATUS_OK;
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
struct lsa_info *handle;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
DOM_SID domain_sid;
Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-13 02:20:50 +03:00
const char *name;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
DOM_SID *sid = NULL;
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
union lsa_PolicyInformation *info = NULL;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
Merge of new 2.2 code into HEAD (Gerald I hate you :-) :-). Allows new SAMR RPC code to merge with new passdb code. Currently rpcclient doesn't compile. I'm working on it... Jeremy. (This used to be commit 0be41d5158ea4e645e93e8cd30617c038416e549)
2001-03-11 03:32:10 +03:00
return NT_STATUS_INVALID_HANDLE;
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
info = TALLOC_ZERO_P(p->mem_ctx, union lsa_PolicyInformation);
if (!info) {
return NT_STATUS_NO_MEMORY;
}
switch (r->in.level) {
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
case 0x02:
{
r15041: Adding rpc client calls to manipulate auditing policies on remote CIFS servers. Also add a new "net rpc audit" tool. The lsa query infolevels were taken from samb4 IDL, the lsa policy flags and categories are partly documented on msdn. I need to cleanup the double lsa_query_info_policy{2}{_new} calls next. Guenther (This used to be commit 0fed66926f4b72444abfc8ffb8c46cca8d0600aa)
2006-04-11 19:47:24 +04:00
uint32 policy_def = LSA_AUDIT_POLICY_ALL;
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_VIEW_AUDIT_INFORMATION)) {
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
DEBUG(10,("_lsa_QueryInfoPolicy: insufficient access rights\n"));
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_ACCESS_DENIED;
r15041: Adding rpc client calls to manipulate auditing policies on remote CIFS servers. Also add a new "net rpc audit" tool. The lsa query infolevels were taken from samb4 IDL, the lsa policy flags and categories are partly documented on msdn. I need to cleanup the double lsa_query_info_policy{2}{_new} calls next. Guenther (This used to be commit 0fed66926f4b72444abfc8ffb8c46cca8d0600aa)
2006-04-11 19:47:24 +04:00
}
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
/* fake info: We audit everything. ;) */
r15041: Adding rpc client calls to manipulate auditing policies on remote CIFS servers. Also add a new "net rpc audit" tool. The lsa query infolevels were taken from samb4 IDL, the lsa policy flags and categories are partly documented on msdn. I need to cleanup the double lsa_query_info_policy{2}{_new} calls next. Guenther (This used to be commit 0fed66926f4b72444abfc8ffb8c46cca8d0600aa)
2006-04-11 19:47:24 +04:00
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
info->audit_events.auditing_mode = true;
info->audit_events.count = LSA_AUDIT_NUM_CATEGORIES;
info->audit_events.settings = TALLOC_ZERO_ARRAY(p->mem_ctx,
enum lsa_PolicyAuditPolicy,
info->audit_events.count);
if (!info->audit_events.settings) {
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_NO_MEMORY;
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
}
r15041: Adding rpc client calls to manipulate auditing policies on remote CIFS servers. Also add a new "net rpc audit" tool. The lsa query infolevels were taken from samb4 IDL, the lsa policy flags and categories are partly documented on msdn. I need to cleanup the double lsa_query_info_policy{2}{_new} calls next. Guenther (This used to be commit 0fed66926f4b72444abfc8ffb8c46cca8d0600aa)
2006-04-11 19:47:24 +04:00
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
info->audit_events.settings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def;
info->audit_events.settings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def;
info->audit_events.settings[LSA_AUDIT_CATEGORY_LOGON] = policy_def;
info->audit_events.settings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def;
info->audit_events.settings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def;
info->audit_events.settings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def;
info->audit_events.settings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def;
r15041: Adding rpc client calls to manipulate auditing policies on remote CIFS servers. Also add a new "net rpc audit" tool. The lsa query infolevels were taken from samb4 IDL, the lsa policy flags and categories are partly documented on msdn. I need to cleanup the double lsa_query_info_policy{2}{_new} calls next. Guenther (This used to be commit 0fed66926f4b72444abfc8ffb8c46cca8d0600aa)
2006-04-11 19:47:24 +04:00
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
break;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
case 0x03:
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_ACCESS_DENIED;
JF pointed out we were returning the wrong info for Domain member with info levels 3 and 5. I *hate* LSAQueryInfoPolicy() :-). Jeremy. (This used to be commit 37581bdf1e1f24dabe67befdc27f54f516d3f08e)
2001-04-22 03:06:59 +04:00
/* Request PolicyPrimaryDomainInformation. */
switch (lp_server_role()) {
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
Set our 'global sam name' in one place. For domain controllers, this is lp_workgroup(), for all other server this is global_myname(). This is the name of the domain for accounts on *this* system, and getting this wrong caused interesting bugs with 'take ownership' on member servers and standalone servers at Snap. (They lookup the username that they got, then convert that to a SID - but becouse the domain out of the smbpasswd entry was wrong, we would fail the lookup). Andrew Bartlett (This used to be commit 5fc78eba20411f3f5a8ccadfcba5c4ab73180dba)
2003-05-07 12:21:06 +04:00
name = get_global_sam_name();
Fix lsa_QueryInfoPolicy: make proper talloc copies of the sids. Guenther (This used to be commit b9441232d66d78e66464be6c9748a023681ce6ca)
2008-03-04 14:46:15 +03:00
sid = sid_dup_talloc(p->mem_ctx, get_global_sam_sid());
if (!sid) {
return NT_STATUS_NO_MEMORY;
}
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
break;
case ROLE_DOMAIN_MEMBER:
Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-13 02:20:50 +03:00
name = lp_workgroup();
JF pointed out we were returning the wrong info for Domain member with info levels 3 and 5. I *hate* LSAQueryInfoPolicy() :-). Jeremy. (This used to be commit 37581bdf1e1f24dabe67befdc27f54f516d3f08e)
2001-04-22 03:06:59 +04:00
/* We need to return the Domain SID here. */
Fix lsa_QueryInfoPolicy: make proper talloc copies of the sids. Guenther (This used to be commit b9441232d66d78e66464be6c9748a023681ce6ca)
2008-03-04 14:46:15 +03:00
if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
sid = sid_dup_talloc(p->mem_ctx, &domain_sid);
if (!sid) {
return NT_STATUS_NO_MEMORY;
}
} else {
JF pointed out we were returning the wrong info for Domain member with info levels 3 and 5. I *hate* LSAQueryInfoPolicy() :-). Jeremy. (This used to be commit 37581bdf1e1f24dabe67befdc27f54f516d3f08e)
2001-04-22 03:06:59 +04:00
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
Fix lsa_QueryInfoPolicy: make proper talloc copies of the sids. Guenther (This used to be commit b9441232d66d78e66464be6c9748a023681ce6ca)
2008-03-04 14:46:15 +03:00
}
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
break;
Final ! Fix. Jeremy. (This used to be commit 58dd295882a944934014a31c61eed35bf04fc2bd)
2001-03-15 06:08:22 +03:00
case ROLE_STANDALONE:
Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-13 02:20:50 +03:00
name = lp_workgroup();
this fixes the problem of not being able to add a SD to a file on a non-domain Samba server from a NT4 client. Note that this exactly reverses a change by Jeremy on the 18th of December 2001, reverting the code back to what JF originally wrote. I have looked carefully with a sniffer and JFs original NULL sid is correct (ie. it matches what NT4 does) and also fixes the problem. Sending a blank sid (which is what jeremy's patch did) causes NT4 to give a classic "parameter is incorrect error" and prevents the addition of new ACLs. (This used to be commit 9930cf97330dd93985c5558cec6b24406e90c228)
2002-01-31 12:37:26 +03:00
sid = NULL;
Final ! Fix. Jeremy. (This used to be commit 58dd295882a944934014a31c61eed35bf04fc2bd)
2001-03-15 06:08:22 +03:00
break;
Return correct error message if we can't get the SID secret. Jeremy. (This used to be commit c202ebe3b6aa413fa7b00ec6d1b3f123f1e1a55b)
2001-03-15 05:49:06 +03:00
default:
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
init_dom_query_3(&info->domain, name, sid);
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
break;
case 0x05:
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_ACCESS_DENIED;
JF pointed out we were returning the wrong info for Domain member with info levels 3 and 5. I *hate* LSAQueryInfoPolicy() :-). Jeremy. (This used to be commit 37581bdf1e1f24dabe67befdc27f54f516d3f08e)
2001-04-22 03:06:59 +04:00
/* Request PolicyAccountDomainInformation. */
Set our 'global sam name' in one place. For domain controllers, this is lp_workgroup(), for all other server this is global_myname(). This is the name of the domain for accounts on *this* system, and getting this wrong caused interesting bugs with 'take ownership' on member servers and standalone servers at Snap. (They lookup the username that they got, then convert that to a SID - but becouse the domain out of the smbpasswd entry was wrong, we would fail the lookup). Andrew Bartlett (This used to be commit 5fc78eba20411f3f5a8ccadfcba5c4ab73180dba)
2003-05-07 12:21:06 +04:00
name = get_global_sam_name();
sid = get_global_sam_sid();
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
init_dom_query_5(&info->account_domain, name, sid);
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
break;
case 0x06:
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_ACCESS_DENIED;
JF pointed out we were returning the wrong info for Domain member with info levels 3 and 5. I *hate* LSAQueryInfoPolicy() :-). Jeremy. (This used to be commit 37581bdf1e1f24dabe67befdc27f54f516d3f08e)
2001-04-22 03:06:59 +04:00
switch (lp_server_role()) {
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
case ROLE_DOMAIN_BDC:
/*
* only a BDC is a backup controller
* of the domain, it controls.
*/
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
info->role.role = 2;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
break;
default:
/*
* any other role is a primary
* of the domain, it controls.
*/
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
info->role.role = 3;
break;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
break;
default:
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
DEBUG(0,("_lsa_QueryInfoPolicy: unknown info level in Lsa Query: %d\n",
r->in.level));
status = NT_STATUS_INVALID_INFO_CLASS;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
break;
}
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
*r->out.info = info;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
Use pidl for _lsa_QueryInfoPolicy(). Guenther (This used to be commit 1b931e9145910a74b9e9661a9255cd79e434ffea)
2008-02-08 03:13:50 +03:00
return status;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
/***************************************************************************
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
_lsa_lookup_sids_internal
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
***************************************************************************/
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
static NTSTATUS _lsa_lookup_sids_internal(pipes_struct *p,
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
TALLOC_CTX *mem_ctx,
uint16_t level, /* input */
int num_sids, /* input */
struct lsa_SidPtr *sid, /* input */
struct lsa_RefDomainList **pp_ref, /* input/output */
struct lsa_TranslatedName2 **pp_names,/* input/output */
uint32_t *pp_mapped_count) /* input/output */
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
{
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
NTSTATUS status;
int i;
const DOM_SID **sids = NULL;
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
struct lsa_RefDomainList *ref = NULL;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
uint32 mapped_count = 0;
struct lsa_dom_info *dom_infos = NULL;
struct lsa_name_info *name_infos = NULL;
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
struct lsa_TranslatedName2 *names = NULL;
Don't core dump listing thousands of users in usrmgr. Jeremy. (This used to be commit c6566fa5fadf37a2b133e7be1f13c0de93efab34)
2002-03-30 00:50:21 +03:00
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
*pp_mapped_count = 0;
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
*pp_names = NULL;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
*pp_ref = NULL;
r22675: Simo's patch for 0 size allocation. Still need to examine parse_misc.c fix. Jeremy. (This used to be commit 80d981265cd3bc9d73c5da3c514ec736e2dfa73a)
2007-05-05 02:01:26 +04:00
if (num_sids == 0) {
return NT_STATUS_OK;
}
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
sids = TALLOC_ARRAY(p->mem_ctx, const DOM_SID *, num_sids);
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
ref = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
r23400: Fix lsa crash bug #4683. The "names" enum struct in a lookup_sidX reply isn't optional - like the lookup_sidX query it needs to be defined in the struct. All this will go away with PIDL (thank goodness....). Jerry - I think this is a showstopper to be merged for 3.0.25b. I'll be watching the build farm to see if anything broke. Jeremy. (This used to be commit 9300b92f7a51eb80fdc039d8dad23ea9ce82aa8f)
2007-06-09 04:13:07 +04:00
if (sids == NULL || ref == NULL) {
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
return NT_STATUS_NO_MEMORY;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
for (i=0; i<num_sids; i++) {
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
sids[i] = sid[i].sid;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
status = lookup_sids(p->mem_ctx, num_sids, sids, level,
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
&dom_infos, &name_infos);
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
if (!NT_STATUS_IS_OK(status)) {
return status;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
names = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName2, num_sids);
if (names == NULL) {
r22675: Simo's patch for 0 size allocation. Still need to examine parse_misc.c fix. Jeremy. (This used to be commit 80d981265cd3bc9d73c5da3c514ec736e2dfa73a)
2007-05-05 02:01:26 +04:00
return NT_STATUS_NO_MEMORY;
r810: Fix from "Jerome Borsboom" <j.borsboom@erasmusmc.nl> to ensure error status codes don't get overwritten. Jeremy. (This used to be commit c179451b07c2315a667c2ff683cd30c4d224758e)
2004-05-21 22:06:27 +04:00
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
for (i=0; i<MAX_REF_DOMAINS; i++) {
if (!dom_infos[i].valid) {
break;
}
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
if (init_lsa_ref_domain_list(mem_ctx, ref,
dom_infos[i].name,
&dom_infos[i].sid) != i) {
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
DEBUG(0, ("Domain %s mentioned twice??\n",
dom_infos[i].name));
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
return NT_STATUS_INTERNAL_ERROR;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
}
for (i=0; i<num_sids; i++) {
struct lsa_name_info *name = &name_infos[i];
if (name->type == SID_NAME_UNKNOWN) {
Replace sid_string_static with sid_to_string This adds 28 fstrings on the stack, but I think an fstring on the stack is still far better than a static one. (This used to be commit c7c885078be8fd3024c186044ac28275d7609679)
2007-12-16 00:00:39 +03:00
fstring tmp;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
name->dom_idx = -1;
r17199: Add comment to the RID/SID miracle (This used to be commit 4c4ae01c671bd35687af686a34824a96828e6b25)
2006-07-23 12:18:31 +04:00
/* Unknown sids should return the string
* representation of the SID. Windows 2003 behaves
* rather erratic here, in many cases it returns the
* RID as 8 bytes hex, in others it returns the full
* SID. We (Jerry/VL) could not figure out which the
* hard cases are, so leave it with the SID. */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
name->name = talloc_asprintf(p->mem_ctx, "%s",
s/sid_to_string/sid_to_fstring/ least surprise for callers (This used to be commit eb523ba77697346a365589101aac379febecd546)
2007-12-16 00:47:30 +03:00
sid_to_fstring(tmp,
sids[i]));
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (name->name == NULL) {
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
return NT_STATUS_NO_MEMORY;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
}
} else {
mapped_count += 1;
}
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
init_lsa_translated_name2(&names[i], name->type,
name->name, name->dom_idx, 0);
}
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
status = NT_STATUS_NONE_MAPPED;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
if (mapped_count > 0) {
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
status = (mapped_count < num_sids) ?
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
STATUS_SOME_UNMAPPED : NT_STATUS_OK;
}
DEBUG(10, ("num_sids %d, mapped_count %d, status %s\n",
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
num_sids, mapped_count, nt_errstr(status)));
*pp_mapped_count = mapped_count;
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
*pp_names = names;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
*pp_ref = ref;
return status;
}
/***************************************************************************
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
_lsa_LookupSids
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
***************************************************************************/
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
NTSTATUS _lsa_LookupSids(pipes_struct *p,
struct lsa_LookupSids *r)
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
{
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
NTSTATUS status;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
struct lsa_info *handle;
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
int num_sids = r->in.sids->num_sids;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
uint32 mapped_count = 0;
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
struct lsa_RefDomainList *domains = NULL;
struct lsa_TranslatedName *names_out = NULL;
struct lsa_TranslatedName2 *names = NULL;
int i;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
if ((r->in.level < 1) || (r->in.level > 6)) {
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
return NT_STATUS_INVALID_PARAMETER;
}
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
return NT_STATUS_INVALID_HANDLE;
}
/* check if the user has enough rights */
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
return NT_STATUS_ACCESS_DENIED;
}
if (num_sids > MAX_LOOKUP_SIDS) {
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
DEBUG(5,("_lsa_LookupSids: limit of %d exceeded, requested %d\n",
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
MAX_LOOKUP_SIDS, num_sids));
return NT_STATUS_NONE_MAPPED;
}
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
status = _lsa_lookup_sids_internal(p,
p->mem_ctx,
r->in.level,
num_sids,
r->in.sids->sids,
&domains,
&names,
&mapped_count);
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
/* Convert from lsa_TranslatedName2 to lsa_TranslatedName */
names_out = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedName,
num_sids);
if (!names_out) {
return NT_STATUS_NO_MEMORY;
}
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
for (i=0; i<num_sids; i++) {
names_out[i].sid_type = names[i].sid_type;
names_out[i].name = names[i].name;
names_out[i].sid_index = names[i].sid_index;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
}
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
*r->out.domains = domains;
r->out.names->count = num_sids;
r->out.names->names = names_out;
*r->out.count = mapped_count;
return status;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
}
/***************************************************************************
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
_lsa_LookupSids2
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
***************************************************************************/
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
NTSTATUS _lsa_LookupSids2(pipes_struct *p,
struct lsa_LookupSids2 *r)
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
{
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
NTSTATUS status;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
struct lsa_info *handle;
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
int num_sids = r->in.sids->num_sids;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
uint32 mapped_count = 0;
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
struct lsa_RefDomainList *domains = NULL;
struct lsa_TranslatedName2 *names = NULL;
bool check_policy = true;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
switch (p->hdr_req.opnum) {
case NDR_LSA_LOOKUPSIDS3:
check_policy = false;
break;
case NDR_LSA_LOOKUPSIDS2:
default:
check_policy = true;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
}
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
if ((r->in.level < 1) || (r->in.level > 6)) {
return NT_STATUS_INVALID_PARAMETER;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
}
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
if (check_policy) {
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
return NT_STATUS_INVALID_HANDLE;
}
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
return NT_STATUS_ACCESS_DENIED;
}
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
}
if (num_sids > MAX_LOOKUP_SIDS) {
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
DEBUG(5,("_lsa_LookupSids2: limit of %d exceeded, requested %d\n",
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
MAX_LOOKUP_SIDS, num_sids));
return NT_STATUS_NONE_MAPPED;
}
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
status = _lsa_lookup_sids_internal(p,
p->mem_ctx,
r->in.level,
num_sids,
r->in.sids->sids,
&domains,
&names,
&mapped_count);
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
*r->out.domains = domains;
r->out.names->count = num_sids;
r->out.names->names = names;
*r->out.count = mapped_count;
return status;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
}
/***************************************************************************
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
_lsa_LookupSids3
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
***************************************************************************/
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
NTSTATUS _lsa_LookupSids3(pipes_struct *p,
struct lsa_LookupSids3 *r)
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
{
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
struct lsa_LookupSids2 q;
r13447: Added LSA_LOOKUPSIDS2 and LSA_LOOKUPSIDS3. Jeremy. (This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
2006-02-11 02:52:53 +03:00
[GLUE] Rsync SAMBA_3_2_0 SVN r25598 in order to create the v3-2-test branch. (This used to be commit 5c6c8e1fe93f340005110a7833946191659d88ab)
2007-10-11 00:34:30 +04:00
/* No policy handle on this call. Restrict to crypto connections. */
if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
[GLUE] Rsync SAMBA_3_2_0 SVN r25598 in order to create the v3-2-test branch. (This used to be commit 5c6c8e1fe93f340005110a7833946191659d88ab)
2007-10-11 00:34:30 +04:00
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;
}
r17192: Make this actually survive valgrind. We NEED pidl here... Maybe bzr is not such a bad idea, then you would probably see less spam on samba-cvs, sorry for that... :-) Volker (This used to be commit 41456b498a181c70707ca1ea80288bd7bdcadcdf)
2006-07-22 23:44:17 +04:00
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
q.in.handle = NULL;
q.in.sids = r->in.sids;
q.in.level = r->in.level;
q.in.unknown1 = r->in.unknown1;
q.in.unknown2 = r->in.unknown2;
q.in.names = r->in.names;
q.in.count = r->in.count;
r17192: Make this actually survive valgrind. We NEED pidl here... Maybe bzr is not such a bad idea, then you would probably see less spam on samba-cvs, sorry for that... :-) Volker (This used to be commit 41456b498a181c70707ca1ea80288bd7bdcadcdf)
2006-07-22 23:44:17 +04:00
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
q.out.domains = r->out.domains;
q.out.names = r->out.names;
q.out.count = r->out.count;
[GLUE] Rsync SAMBA_3_2_0 SVN r25598 in order to create the v3-2-test branch. (This used to be commit 5c6c8e1fe93f340005110a7833946191659d88ab)
2007-10-11 00:34:30 +04:00
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
return _lsa_LookupSids2(p, &q);
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
Use pidl for _lsa_LookupSids, _lsa_LookupSids2 and _lsa_LookupSids3. Guenther (This used to be commit b1609801e4443a3efbc29873477ad335d0241be4)
2008-02-19 03:01:15 +03:00
/***************************************************************************
***************************************************************************/
Fix for bug #4801: Correctly implement lsa lookup levels for lookupnames. This patch is still incomplete in that winbindd does not walk the the trusted domains to lookup unqualified names here. Apart from that this fix should be pretty much complete. Michael (This used to be commit f7efc0eca9426e63b751c07a90265a12bb39cf95)
2007-12-12 20:03:20 +03:00
static int lsa_lookup_level_to_flags(uint16 level)
{
int flags;
switch (level) {
case 1:
flags = LOOKUP_NAME_ALL;
break;
case 2:
flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
break;
case 3:
flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
break;
case 4:
case 5:
case 6:
default:
flags = LOOKUP_NAME_NONE;
break;
}
return flags;
}
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
/***************************************************************************
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
_lsa_LookupNames
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
***************************************************************************/
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
NTSTATUS _lsa_LookupNames(pipes_struct *p,
struct lsa_LookupNames *r)
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
{
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
NTSTATUS status = NT_STATUS_NONE_MAPPED;
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
struct lsa_info *handle;
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
struct lsa_String *names = r->in.names;
uint32 num_entries = r->in.num_names;
struct lsa_RefDomainList *domains = NULL;
struct lsa_TranslatedSid *rids = NULL;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
uint32 mapped_count = 0;
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
int flags = 0;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
Move the lsa code across to the changed args for lookup_name, and surround it in become_root()/unbecome_root(). Also only allocate the memory the client reqests - and don't allow the client to trigger an SMB_ASSERT if they ask for 'more'. Up the maximum number of sids allowed, and note that this is an arbiary guess, and can be raised without consequence. Andrew Bartlett (This used to be commit 6e7667125d142670db7393ed7a48386f3821d896)
2002-01-26 13:02:23 +03:00
if (num_entries > MAX_LOOKUP_SIDS) {
num_entries = MAX_LOOKUP_SIDS;
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
DEBUG(5,("_lsa_LookupNames: truncating name lookup list to %d\n",
num_entries));
Move the lsa code across to the changed args for lookup_name, and surround it in become_root()/unbecome_root(). Also only allocate the memory the client reqests - and don't allow the client to trigger an SMB_ASSERT if they ask for 'more'. Up the maximum number of sids allowed, and note that this is an arbiary guess, and can be raised without consequence. Andrew Bartlett (This used to be commit 6e7667125d142670db7393ed7a48386f3821d896)
2002-01-26 13:02:23 +03:00
}
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
flags = lsa_lookup_level_to_flags(r->in.level);
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
if (!domains) {
r22587: Ensure TALLOC_ZERO_ARRAY is consistent. Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
2007-04-30 05:17:34 +04:00
return NT_STATUS_NO_MEMORY;
}
if (num_entries) {
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
rids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid,
num_entries);
r22587: Ensure TALLOC_ZERO_ARRAY is consistent. Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
2007-04-30 05:17:34 +04:00
if (!rids) {
return NT_STATUS_NO_MEMORY;
}
} else {
rids = NULL;
}
Don't return stack structures... Jeremy. (This used to be commit 94b72c19fe435d31e14e69a3fc9808e75638726a)
2001-03-01 07:01:23 +03:00
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
status = NT_STATUS_INVALID_HANDLE;
Don't core dump listing thousands of users in usrmgr. Jeremy. (This used to be commit c6566fa5fadf37a2b133e7be1f13c0de93efab34)
2002-03-30 00:50:21 +03:00
goto done;
}
Ensure we return a parseable value if invalid handle given. Jeremy. (This used to be commit f169f3f4df81537426f708d68da44e0fc40ad15e)
2002-03-29 23:37:56 +03:00
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
status = NT_STATUS_ACCESS_DENIED;
Don't core dump listing thousands of users in usrmgr. Jeremy. (This used to be commit c6566fa5fadf37a2b133e7be1f13c0de93efab34)
2002-03-30 00:50:21 +03:00
goto done;
}
Ensure we return a parseable value if invalid handle given. Jeremy. (This used to be commit f169f3f4df81537426f708d68da44e0fc40ad15e)
2002-03-29 23:37:56 +03:00
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
/* set up the LSA Lookup RIDs response */
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
become_root(); /* lookup_name can require root privs */
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
status = lookup_lsa_rids(p->mem_ctx, domains, rids, num_entries,
names, flags, &mapped_count);
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
unbecome_root();
Don't core dump listing thousands of users in usrmgr. Jeremy. (This used to be commit c6566fa5fadf37a2b133e7be1f13c0de93efab34)
2002-03-30 00:50:21 +03:00
done:
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
if (NT_STATUS_IS_OK(status) && (num_entries != 0) ) {
if (mapped_count == 0) {
status = NT_STATUS_NONE_MAPPED;
} else if (mapped_count != num_entries) {
status = STATUS_SOME_UNMAPPED;
}
r911: Patch from "Jerome Borsboom" <j.borsboom@erasmusmc.nl>, don't overwrite error code. Jeremy. (This used to be commit 735e49ddc3c4485c7b43208345d0e3e2b8960ad4)
2004-05-26 22:27:16 +04:00
}
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
Fix counter mismatch in lsa_LookupNames server. Guenther (This used to be commit 80fd085c34befd38d33cf6e59080a2a36016a92d)
2008-03-04 15:16:02 +03:00
*r->out.count = mapped_count;
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
*r->out.domains = domains;
r->out.sids->sids = rids;
Fix counter mismatch in lsa_LookupNames server. Guenther (This used to be commit 80fd085c34befd38d33cf6e59080a2a36016a92d)
2008-03-04 15:16:02 +03:00
r->out.sids->count = num_entries;
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
return status;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
r13456: Add lsa_lookup_names2. Jeremy. (This used to be commit b57406c89feaf550f6c2d29ef0ed73a935908add)
2006-02-11 07:25:06 +03:00
/***************************************************************************
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
_lsa_LookupNames2
r13456: Add lsa_lookup_names2. Jeremy. (This used to be commit b57406c89feaf550f6c2d29ef0ed73a935908add)
2006-02-11 07:25:06 +03:00
***************************************************************************/
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
NTSTATUS _lsa_LookupNames2(pipes_struct *p,
struct lsa_LookupNames2 *r)
r13456: Add lsa_lookup_names2. Jeremy. (This used to be commit b57406c89feaf550f6c2d29ef0ed73a935908add)
2006-02-11 07:25:06 +03:00
{
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
NTSTATUS status;
struct lsa_LookupNames q;
struct lsa_TransSidArray2 *sid_array2 = r->in.sids;
struct lsa_TransSidArray *sid_array = NULL;
uint32_t i;
r13456: Add lsa_lookup_names2. Jeremy. (This used to be commit b57406c89feaf550f6c2d29ef0ed73a935908add)
2006-02-11 07:25:06 +03:00
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
sid_array = TALLOC_ZERO_P(p->mem_ctx, struct lsa_TransSidArray);
if (!sid_array) {
r16433: Fix Coverity #300 (triggered by a Klockwork bugfix I think). If a alloc fails just return NT_STATUS_NO_MEMORY, don't go to "done" label and deref pointers. Jeremy. (This used to be commit 490c7c84674860ecd9daa24341edb427b9fe0aa5)
2006-06-21 04:17:14 +04:00
return NT_STATUS_NO_MEMORY;
r16409: Fix Klocwork ID's. 1177 In reg_perfcount.c: 1200 1202 1203 1204 In regfio.c: 1243 1245 1246 1247 1251 Jerry, the reg_perfcount and regfio.c ones, can you take a look please? This is really your code, and I'm not sure I did the right thing to return an error. smbcacls.c: 1377 srv_eventlog_nt.c: 1415 1416 1417 srv_lsa_nt.c: 1420 1421 srv_netlog_nt.c: 1429 srv_samr_nt: 1458 1459 1460 Volker Volker (This used to be commit d6547d12b1c9f9454876665a5bdb010f46b9f5ff)
2006-06-20 13:16:53 +04:00
}
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
q.in.handle = r->in.handle;
q.in.num_names = r->in.num_names;
q.in.names = r->in.names;
q.in.level = r->in.level;
q.in.sids = sid_array;
q.in.count = r->in.count;
/* we do not know what this is for */
/* = r->in.unknown1; */
/* = r->in.unknown2; */
r22587: Ensure TALLOC_ZERO_ARRAY is consistent. Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
2007-04-30 05:17:34 +04:00
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
q.out.domains = r->out.domains;
q.out.sids = sid_array;
q.out.count = r->out.count;
r13456: Add lsa_lookup_names2. Jeremy. (This used to be commit b57406c89feaf550f6c2d29ef0ed73a935908add)
2006-02-11 07:25:06 +03:00
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
status = _lsa_LookupNames(p, &q);
r13456: Add lsa_lookup_names2. Jeremy. (This used to be commit b57406c89feaf550f6c2d29ef0ed73a935908add)
2006-02-11 07:25:06 +03:00
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
sid_array2->sids = TALLOC_ARRAY(p->mem_ctx, struct lsa_TranslatedSid2, sid_array->count);
if (!sid_array2->sids) {
return NT_STATUS_NO_MEMORY;
r13456: Add lsa_lookup_names2. Jeremy. (This used to be commit b57406c89feaf550f6c2d29ef0ed73a935908add)
2006-02-11 07:25:06 +03:00
}
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
for (i=0; i<sid_array->count; i++) {
sid_array2->sids[i].sid_type = sid_array->sids[i].sid_type;
sid_array2->sids[i].rid = sid_array->sids[i].rid;
sid_array2->sids[i].sid_index = sid_array->sids[i].sid_index;
sid_array2->sids[i].unknown = 0;
r13456: Add lsa_lookup_names2. Jeremy. (This used to be commit b57406c89feaf550f6c2d29ef0ed73a935908add)
2006-02-11 07:25:06 +03:00
}
Use pidl for _lsa_LookupNames() and _lsa_LookupNames2(). Hopefully I didn't screw this up. Please check :) Guenther (This used to be commit 01b733f10c1645668f2aea2841bbdc64b4bd5c51)
2008-02-18 16:40:34 +03:00
r->out.sids = sid_array2;
return status;
r13456: Add lsa_lookup_names2. Jeremy. (This used to be commit b57406c89feaf550f6c2d29ef0ed73a935908add)
2006-02-11 07:25:06 +03:00
}
r13458: Add parsing functions - but stub internals for lookupnames3 and 4. Jeremy. (This used to be commit f1a362580ae37730dc8393a79f832aed5d0ea4be)
2006-02-11 08:36:27 +03:00
/***************************************************************************
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
_lsa_LookupNames3
r13458: Add parsing functions - but stub internals for lookupnames3 and 4. Jeremy. (This used to be commit f1a362580ae37730dc8393a79f832aed5d0ea4be)
2006-02-11 08:36:27 +03:00
***************************************************************************/
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
NTSTATUS _lsa_LookupNames3(pipes_struct *p,
struct lsa_LookupNames3 *r)
r13458: Add parsing functions - but stub internals for lookupnames3 and 4. Jeremy. (This used to be commit f1a362580ae37730dc8393a79f832aed5d0ea4be)
2006-02-11 08:36:27 +03:00
{
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
NTSTATUS status;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
struct lsa_info *handle;
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
struct lsa_String *names = r->in.names;
uint32 num_entries = r->in.num_names;
struct lsa_RefDomainList *domains = NULL;
struct lsa_TranslatedSid3 *trans_sids = NULL;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
uint32 mapped_count = 0;
int flags = 0;
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
bool check_policy = true;
switch (p->hdr_req.opnum) {
case NDR_LSA_LOOKUPNAMES4:
check_policy = false;
break;
case NDR_LSA_LOOKUPNAMES3:
default:
check_policy = true;
}
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
if (num_entries > MAX_LOOKUP_SIDS) {
num_entries = MAX_LOOKUP_SIDS;
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
DEBUG(5,("_lsa_LookupNames3: truncating name lookup list to %d\n", num_entries));
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
}
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
/* Probably the lookup_level is some sort of bitmask. */
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
if (r->in.level == 1) {
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
flags = LOOKUP_NAME_ALL;
}
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
domains = TALLOC_ZERO_P(p->mem_ctx, struct lsa_RefDomainList);
if (!domains) {
r22587: Ensure TALLOC_ZERO_ARRAY is consistent. Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
2007-04-30 05:17:34 +04:00
return NT_STATUS_NO_MEMORY;
}
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
r22587: Ensure TALLOC_ZERO_ARRAY is consistent. Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
2007-04-30 05:17:34 +04:00
if (num_entries) {
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
trans_sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_TranslatedSid3,
num_entries);
r22587: Ensure TALLOC_ZERO_ARRAY is consistent. Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
2007-04-30 05:17:34 +04:00
if (!trans_sids) {
return NT_STATUS_NO_MEMORY;
}
} else {
trans_sids = NULL;
}
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
if (check_policy) {
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) {
status = NT_STATUS_INVALID_HANDLE;
goto done;
}
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_LOOKUP_NAMES)) {
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
status = NT_STATUS_ACCESS_DENIED;
goto done;
}
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
}
/* set up the LSA Lookup SIDs response */
become_root(); /* lookup_name can require root privs */
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
status = lookup_lsa_sids(p->mem_ctx, domains, trans_sids, num_entries,
names, flags, &mapped_count);
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
unbecome_root();
done:
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
if (NT_STATUS_IS_OK(status)) {
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
if (mapped_count == 0) {
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
status = NT_STATUS_NONE_MAPPED;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
} else if (mapped_count != num_entries) {
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
status = STATUS_SOME_UNMAPPED;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
}
}
Fix counter mismatch in lsa_LookupNames3 server. Guenther (This used to be commit e052d6f2c82a644986e5d99f640310d71cd5c396)
2008-03-04 15:19:38 +03:00
*r->out.count = mapped_count;
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
*r->out.domains = domains;
r->out.sids->sids = trans_sids;
Fix counter mismatch in lsa_LookupNames3 server. Guenther (This used to be commit e052d6f2c82a644986e5d99f640310d71cd5c396)
2008-03-04 15:19:38 +03:00
r->out.sids->count = num_entries;
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
return status;
r13458: Add parsing functions - but stub internals for lookupnames3 and 4. Jeremy. (This used to be commit f1a362580ae37730dc8393a79f832aed5d0ea4be)
2006-02-11 08:36:27 +03:00
}
/***************************************************************************
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
_lsa_LookupNames4
r13458: Add parsing functions - but stub internals for lookupnames3 and 4. Jeremy. (This used to be commit f1a362580ae37730dc8393a79f832aed5d0ea4be)
2006-02-11 08:36:27 +03:00
***************************************************************************/
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
NTSTATUS _lsa_LookupNames4(pipes_struct *p,
struct lsa_LookupNames4 *r)
r13458: Add parsing functions - but stub internals for lookupnames3 and 4. Jeremy. (This used to be commit f1a362580ae37730dc8393a79f832aed5d0ea4be)
2006-02-11 08:36:27 +03:00
{
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
struct lsa_LookupNames3 q;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
/* No policy handle on this call. Restrict to crypto connections. */
if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;
}
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
q.in.handle = NULL;
q.in.num_names = r->in.num_names;
q.in.names = r->in.names;
q.in.level = r->in.level;
s3: fix s3 lsa server. Guenther
2008-10-15 21:33:16 +04:00
q.in.lookup_options = r->in.lookup_options;
q.in.client_revision = r->in.client_revision;
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
q.in.sids = r->in.sids;
q.in.count = r->in.count;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
q.out.domains = r->out.domains;
q.out.sids = r->out.sids;
q.out.count = r->out.count;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
Use pidl for _lsa_LookupNames3 and _lsa_LookupNames4. Guenther (This used to be commit 4e310a19f12ba7034f33247dca0a9e7a10aa98b7)
2008-02-18 18:57:02 +03:00
return _lsa_LookupNames3(p, &q);
r13458: Add parsing functions - but stub internals for lookupnames3 and 4. Jeremy. (This used to be commit f1a362580ae37730dc8393a79f832aed5d0ea4be)
2006-02-11 08:36:27 +03:00
}
r13456: Add lsa_lookup_names2. Jeremy. (This used to be commit b57406c89feaf550f6c2d29ef0ed73a935908add)
2006-02-11 07:25:06 +03:00
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
/***************************************************************************
_lsa_close. Also weird - needs to check if lsa handle is correct. JRA.
***************************************************************************/
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_Close(pipes_struct *p, struct lsa_Close *r)
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
{
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
if (!find_policy_by_hnd(p, r->in.handle, NULL)) {
Merge of new 2.2 code into HEAD (Gerald I hate you :-) :-). Allows new SAMR RPC code to merge with new passdb code. Currently rpcclient doesn't compile. I'm working on it... Jeremy. (This used to be commit 0be41d5158ea4e645e93e8cd30617c038416e549)
2001-03-11 03:32:10 +03:00
return NT_STATUS_INVALID_HANDLE;
r13521: Implement LOOKUPNAME3 and 4. Jeremy. (This used to be commit 6ec0e9124a1a7b19c9853b8e26075cbbb8751f10)
2006-02-16 04:06:21 +03:00
}
Merge of new 2.2 code into HEAD (Gerald I hate you :-) :-). Allows new SAMR RPC code to merge with new passdb code. Currently rpcclient doesn't compile. I'm working on it... Jeremy. (This used to be commit 0be41d5158ea4e645e93e8cd30617c038416e549)
2001-03-11 03:32:10 +03:00
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
close_policy_hnd(p, r->in.handle);
Zero out the out policy handler in lsa_Close ... after a REALLY long session staring at sniffs we can now join XP to v3-2-test again... Apparently not doing this makes XP keep an internal handle to LSA open which confuses the hell out of it. Karolin, this needs to be in v3-2-stable :-) Volker (This used to be commit 2c42fc21d8bede226e411623aecd69038477373b)
2008-03-03 20:12:26 +03:00
ZERO_STRUCTP(r->out.handle);
converted another bunch of stuff to NTSTATUS (This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e)
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK;
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
}
/***************************************************************************
***************************************************************************/
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_OpenSecret(pipes_struct *p, struct lsa_OpenSecret *r)
Added implementation file for lsa. Jeremy. (This used to be commit 72e7c261e85b9cad19b93fb160168531290a5404)
2001-02-26 22:31:07 +03:00
{
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
Added LsaGetConnectedCredentials patch from Manoj Naik <manoj@almaden.ibm.com>. Jeremy. (This used to be commit 7079300da6dbd950e55dc5871851250d5a3717ff)
2001-06-30 03:12:55 +04:00
r7139: trying to reduce the number of diffs between trunk and 3.0; changing version to 3.0.20pre1 (This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
2005-05-31 17:46:45 +04:00
/***************************************************************************
***************************************************************************/
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_OpenTrustedDomain(pipes_struct *p, struct lsa_OpenTrustedDomain *r)
r7139: trying to reduce the number of diffs between trunk and 3.0; changing version to 3.0.20pre1 (This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
2005-05-31 17:46:45 +04:00
{
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
/***************************************************************************
***************************************************************************/
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CreateTrustedDomain(pipes_struct *p, struct lsa_CreateTrustedDomain *r)
r7139: trying to reduce the number of diffs between trunk and 3.0; changing version to 3.0.20pre1 (This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
2005-05-31 17:46:45 +04:00
{
return NT_STATUS_ACCESS_DENIED;
}
/***************************************************************************
***************************************************************************/
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CreateSecret(pipes_struct *p, struct lsa_CreateSecret *r)
r7139: trying to reduce the number of diffs between trunk and 3.0; changing version to 3.0.20pre1 (This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
2005-05-31 17:46:45 +04:00
{
return NT_STATUS_ACCESS_DENIED;
}
/***************************************************************************
***************************************************************************/
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
r7139: trying to reduce the number of diffs between trunk and 3.0; changing version to 3.0.20pre1 (This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
2005-05-31 17:46:45 +04:00
{
return NT_STATUS_ACCESS_DENIED;
}
/***************************************************************************
Use pidl for (dummy) _lsa_DeleteObject(). Guenther (This used to be commit 81e2e3a288fb40bf4ba1b83adf459a0cf6f02ed2)
2008-02-05 00:05:48 +03:00
_lsa_DeleteObject
r7139: trying to reduce the number of diffs between trunk and 3.0; changing version to 3.0.20pre1 (This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
2005-05-31 17:46:45 +04:00
***************************************************************************/
Use pidl for (dummy) _lsa_DeleteObject(). Guenther (This used to be commit 81e2e3a288fb40bf4ba1b83adf459a0cf6f02ed2)
2008-02-05 00:05:48 +03:00
NTSTATUS _lsa_DeleteObject(pipes_struct *p,
struct lsa_DeleteObject *r)
r7139: trying to reduce the number of diffs between trunk and 3.0; changing version to 3.0.20pre1 (This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
2005-05-31 17:46:45 +04:00
{
return NT_STATUS_ACCESS_DENIED;
}
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
/***************************************************************************
Use pidl for _lsa_EnumPrivs(). Guenther (This used to be commit 62944007315c1744e2d2db7db593bc72af4b643b)
2008-02-11 12:19:54 +03:00
_lsa_EnumPrivs
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
***************************************************************************/
Use pidl for _lsa_EnumPrivs(). Guenther (This used to be commit 62944007315c1744e2d2db7db593bc72af4b643b)
2008-02-11 12:19:54 +03:00
NTSTATUS _lsa_EnumPrivs(pipes_struct *p,
struct lsa_EnumPrivs *r)
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
{
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
struct lsa_info *handle;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
uint32 i;
Use pidl for _lsa_EnumPrivs(). Guenther (This used to be commit 62944007315c1744e2d2db7db593bc72af4b643b)
2008-02-11 12:19:54 +03:00
uint32 enum_context = *r->in.resume_handle;
r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2005-09-30 21:13:37 +04:00
int num_privs = count_all_privileges();
Use pidl for _lsa_EnumPrivs(). Guenther (This used to be commit 62944007315c1744e2d2db7db593bc72af4b643b)
2008-02-11 12:19:54 +03:00
struct lsa_PrivEntry *entries = NULL;
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
LUID_ATTR luid;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
/* remember that the enum_context starts at 0 and not 1 */
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
if ( enum_context >= num_privs )
Ensure we return a parseable value if invalid handle given. Jeremy. (This used to be commit f169f3f4df81537426f708d68da44e0fc40ad15e)
2002-03-29 23:37:56 +03:00
return NT_STATUS_NO_MORE_ENTRIES;
Fix typo. Guenther (This used to be commit 4e3357ac3a1b0adac1744a71f997e3442e0e4209)
2008-02-14 03:53:42 +03:00
DEBUG(10,("_lsa_EnumPrivs: enum_context:%d total entries:%d\n",
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
enum_context, num_privs));
Fix typo. Guenther (This used to be commit 4e3357ac3a1b0adac1744a71f997e3442e0e4209)
2008-02-14 03:53:42 +03:00
Use pidl for _lsa_EnumPrivs(). Guenther (This used to be commit 62944007315c1744e2d2db7db593bc72af4b643b)
2008-02-11 12:19:54 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE;
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
I don't know if it's the right one. not documented. */
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_ACCESS_DENIED;
r22587: Ensure TALLOC_ZERO_ARRAY is consistent. Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
2007-04-30 05:17:34 +04:00
if (num_privs) {
Use pidl for _lsa_EnumPrivs(). Guenther (This used to be commit 62944007315c1744e2d2db7db593bc72af4b643b)
2008-02-11 12:19:54 +03:00
entries = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_PrivEntry, num_privs);
if (!entries) {
r22587: Ensure TALLOC_ZERO_ARRAY is consistent. Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
2007-04-30 05:17:34 +04:00
return NT_STATUS_NO_MEMORY;
Use pidl for _lsa_EnumPrivs(). Guenther (This used to be commit 62944007315c1744e2d2db7db593bc72af4b643b)
2008-02-11 12:19:54 +03:00
}
r22587: Ensure TALLOC_ZERO_ARRAY is consistent. Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
2007-04-30 05:17:34 +04:00
} else {
entries = NULL;
}
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
for (i = 0; i < num_privs; i++) {
if( i < enum_context) {
Use pidl for _lsa_EnumPrivs(). Guenther (This used to be commit 62944007315c1744e2d2db7db593bc72af4b643b)
2008-02-11 12:19:54 +03:00
init_lsa_StringLarge(&entries[i].name, NULL);
entries[i].luid.low = 0;
entries[i].luid.high = 0;
added lsa_enum_sids to rpcclient fixed lsa_enum_rpivs server code. This time it works as W2K. fixed smbgroupedit to compile and work. J.F. (This used to be commit 646651018a2736833e49e76f6ca735a4647d9746)
2001-11-23 02:50:16 +03:00
} else {
Use pidl for _lsa_EnumPrivs(). Guenther (This used to be commit 62944007315c1744e2d2db7db593bc72af4b643b)
2008-02-11 12:19:54 +03:00
init_lsa_StringLarge(&entries[i].name, privs[i].name);
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
luid = get_privilege_luid( &privs[i].se_priv );
Use pidl for _lsa_EnumPrivs(). Guenther (This used to be commit 62944007315c1744e2d2db7db593bc72af4b643b)
2008-02-11 12:19:54 +03:00
entries[i].luid.low = luid.luid.low;
entries[i].luid.high = luid.luid.high;
added lsa_enum_sids to rpcclient fixed lsa_enum_rpivs server code. This time it works as W2K. fixed smbgroupedit to compile and work. J.F. (This used to be commit 646651018a2736833e49e76f6ca735a4647d9746)
2001-11-23 02:50:16 +03:00
}
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
}
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
enum_context = num_privs;
Use pidl for _lsa_EnumPrivs(). Guenther (This used to be commit 62944007315c1744e2d2db7db593bc72af4b643b)
2008-02-11 12:19:54 +03:00
*r->out.resume_handle = enum_context;
r->out.privs->count = num_privs;
r->out.privs->privs = entries;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
converted another bunch of stuff to NTSTATUS (This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e)
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
}
/***************************************************************************
Use pidl for _lsa_LookupPrivDisplayName(). Guenther (This used to be commit c86640320199898cc5e3040bc3339db683e98da8)
2008-02-11 13:57:29 +03:00
_lsa_LookupPrivDisplayName
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
***************************************************************************/
Use pidl for _lsa_LookupPrivDisplayName(). Guenther (This used to be commit c86640320199898cc5e3040bc3339db683e98da8)
2008-02-11 13:57:29 +03:00
NTSTATUS _lsa_LookupPrivDisplayName(pipes_struct *p,
struct lsa_LookupPrivDisplayName *r)
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
{
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
struct lsa_info *handle;
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
const char *description;
Use pidl for _lsa_LookupPrivDisplayName(). Guenther (This used to be commit c86640320199898cc5e3040bc3339db683e98da8)
2008-02-11 13:57:29 +03:00
struct lsa_StringLarge *lsa_name;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
Use pidl for _lsa_LookupPrivDisplayName(). Guenther (This used to be commit c86640320199898cc5e3040bc3339db683e98da8)
2008-02-11 13:57:29 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE;
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
/*
* I don't know if it's the right one. not documented.
*/
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_ACCESS_DENIED;
Use pidl for _lsa_LookupPrivDisplayName(). Guenther (This used to be commit c86640320199898cc5e3040bc3339db683e98da8)
2008-02-11 13:57:29 +03:00
DEBUG(10,("_lsa_LookupPrivDisplayName: name = %s\n", r->in.name->string));
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
Use pidl for _lsa_LookupPrivDisplayName(). Guenther (This used to be commit c86640320199898cc5e3040bc3339db683e98da8)
2008-02-11 13:57:29 +03:00
description = get_privilege_dispname(r->in.name->string);
if (!description) {
DEBUG(10,("_lsa_LookupPrivDisplayName: doesn't exist\n"));
return NT_STATUS_NO_SUCH_PRIVILEGE;
}
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
Use pidl for _lsa_LookupPrivDisplayName(). Guenther (This used to be commit c86640320199898cc5e3040bc3339db683e98da8)
2008-02-11 13:57:29 +03:00
DEBUG(10,("_lsa_LookupPrivDisplayName: display name = %s\n", description));
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
Use pidl for _lsa_LookupPrivDisplayName(). Guenther (This used to be commit c86640320199898cc5e3040bc3339db683e98da8)
2008-02-11 13:57:29 +03:00
lsa_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_StringLarge);
if (!lsa_name) {
return NT_STATUS_NO_MEMORY;
fixing enum_privs and get_dispname server code. That works as expected now. J.F. (This used to be commit f2766932d693fc601b2c3e7853e61f751435ec3c)
2001-11-22 20:19:59 +03:00
}
Use pidl for _lsa_LookupPrivDisplayName(). Guenther (This used to be commit c86640320199898cc5e3040bc3339db683e98da8)
2008-02-11 13:57:29 +03:00
init_lsa_StringLarge(lsa_name, description);
*r->out.returned_language_id = r->in.language_id;
*r->out.disp_name = lsa_name;
return NT_STATUS_OK;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
}
/***************************************************************************
Use pidl for _lsa_EnumAccounts. Guenther (This used to be commit 07e5138ad960bce8569ea593ca9a1b4fbf2b1048)
2008-02-14 03:16:03 +03:00
_lsa_EnumAccounts
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
***************************************************************************/
Use pidl for _lsa_EnumAccounts. Guenther (This used to be commit 07e5138ad960bce8569ea593ca9a1b4fbf2b1048)
2008-02-14 03:16:03 +03:00
NTSTATUS _lsa_EnumAccounts(pipes_struct *p,
struct lsa_EnumAccounts *r)
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
{
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
struct lsa_info *handle;
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
DOM_SID *sid_list;
int i, j, num_entries;
Use pidl for _lsa_EnumAccounts. Guenther (This used to be commit 07e5138ad960bce8569ea593ca9a1b4fbf2b1048)
2008-02-14 03:16:03 +03:00
NTSTATUS status;
struct lsa_SidPtr *sids = NULL;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
Use pidl for _lsa_EnumAccounts. Guenther (This used to be commit 07e5138ad960bce8569ea593ca9a1b4fbf2b1048)
2008-02-14 03:16:03 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE;
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_ACCESS_DENIED;
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
sid_list = NULL;
num_entries = 0;
/* The only way we can currently find out all the SIDs that have been
privileged is to scan all privileges */
Use pidl for _lsa_EnumAccounts. Guenther (This used to be commit 07e5138ad960bce8569ea593ca9a1b4fbf2b1048)
2008-02-14 03:16:03 +03:00
status = privilege_enumerate_accounts(&sid_list, &num_entries);
if (!NT_STATUS_IS_OK(status)) {
return status;
more access fixes for group enumeration in LDAP; bug 281 (This used to be commit 68283407e0f366d8315f4be6caed67eb6fe84b85)
2003-11-24 20:31:38 +03:00
}
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
Use pidl for _lsa_EnumAccounts. Guenther (This used to be commit 07e5138ad960bce8569ea593ca9a1b4fbf2b1048)
2008-02-14 03:16:03 +03:00
if (*r->in.resume_handle >= num_entries) {
Changed how the privileges are stored in the group mapping code. It's now an array of uint32. That's not perfect but that's better. Added more privileges too. Changed the local_lookup_rid/name functions in passdb.c to check if the group is mapped. Makes the LSA rpc calls return correct groups Corrected the return code in the LSA server code enum_sids. Only enumerate well known aliases if they are mapped to real unix groups. Won't confuse user seeing groups not available. Added a short/long view to smbgroupedit. now decoding rpc calls to add/remove privileges to sid. J.F. (This used to be commit f29774e58973f421bfa163c45bfae201a140f28c)
2001-11-23 18:11:22 +03:00
return NT_STATUS_NO_MORE_ENTRIES;
Use pidl for _lsa_EnumAccounts. Guenther (This used to be commit 07e5138ad960bce8569ea593ca9a1b4fbf2b1048)
2008-02-14 03:16:03 +03:00
}
Changed how the privileges are stored in the group mapping code. It's now an array of uint32. That's not perfect but that's better. Added more privileges too. Changed the local_lookup_rid/name functions in passdb.c to check if the group is mapped. Makes the LSA rpc calls return correct groups Corrected the return code in the LSA server code enum_sids. Only enumerate well known aliases if they are mapped to real unix groups. Won't confuse user seeing groups not available. Added a short/long view to smbgroupedit. now decoding rpc calls to add/remove privileges to sid. J.F. (This used to be commit f29774e58973f421bfa163c45bfae201a140f28c)
2001-11-23 18:11:22 +03:00
Use pidl for _lsa_EnumAccounts. Guenther (This used to be commit 07e5138ad960bce8569ea593ca9a1b4fbf2b1048)
2008-02-14 03:16:03 +03:00
if (num_entries - *r->in.resume_handle) {
sids = TALLOC_ZERO_ARRAY(p->mem_ctx, struct lsa_SidPtr,
num_entries - *r->in.resume_handle);
if (!sids) {
r22587: Ensure TALLOC_ZERO_ARRAY is consistent. Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
2007-04-30 05:17:34 +04:00
SAFE_FREE(sid_list);
return NT_STATUS_NO_MEMORY;
}
r24165: Fix Coverity ID 369. This was not really a bug I think, but this change cleans up the code a bit. (This used to be commit 59b4914df3ecc97a1c629e8c7a066aed8e8d9226)
2007-08-04 14:18:33 +04:00
Use pidl for _lsa_EnumAccounts. Guenther (This used to be commit 07e5138ad960bce8569ea593ca9a1b4fbf2b1048)
2008-02-14 03:16:03 +03:00
for (i = *r->in.resume_handle, j = 0; i < num_entries; i++, j++) {
sids[j].sid = sid_dup_talloc(p->mem_ctx, &sid_list[i]);
if (!sids[j].sid) {
SAFE_FREE(sid_list);
return NT_STATUS_NO_MEMORY;
}
r24165: Fix Coverity ID 369. This was not really a bug I think, but this change cleans up the code a bit. (This used to be commit 59b4914df3ecc97a1c629e8c7a066aed8e8d9226)
2007-08-04 14:18:33 +04:00
}
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
}
r22573: Fix old bug mixing free() and talloc_free() when the add_sid_to_array_XX code was moved from malloc to talloc. Found running valgrind and rpcclient. Needs merging for 3.0.25 final. Jeremy. (This used to be commit 8af56dbd00045049ea3c5022822bbaeeecbd9661)
2007-04-29 23:20:48 +04:00
talloc_free(sid_list);
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
Use pidl for _lsa_EnumAccounts. Guenther (This used to be commit 07e5138ad960bce8569ea593ca9a1b4fbf2b1048)
2008-02-14 03:16:03 +03:00
*r->out.resume_handle = num_entries;
r->out.sids->num_sids = num_entries;
r->out.sids->sids = sids;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
converted another bunch of stuff to NTSTATUS (This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e)
2001-08-27 23:46:22 +04:00
return NT_STATUS_OK;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
}
Use pidl for _lsa_GetUserName(). Guenther (This used to be commit b24cf05dcad5696a7b948c93de9e995c2b53e80f)
2008-02-11 22:29:31 +03:00
/***************************************************************************
_lsa_GetUserName
***************************************************************************/
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
Use pidl for _lsa_GetUserName(). Guenther (This used to be commit b24cf05dcad5696a7b948c93de9e995c2b53e80f)
2008-02-11 22:29:31 +03:00
NTSTATUS _lsa_GetUserName(pipes_struct *p,
struct lsa_GetUserName *r)
Added LsaGetConnectedCredentials patch from Manoj Naik <manoj@almaden.ibm.com>. Jeremy. (This used to be commit 7079300da6dbd950e55dc5871851250d5a3717ff)
2001-06-30 03:12:55 +04:00
{
r17064: lsa_GetUserName needs to return the name for S-1-5-7 on an anonymous login. Found that because I want to play around with setsharesecurity, for this I need the "whoami" call figuring out the SID of the currently connected user. Not activating this test yet until the build farm has picked up the new samba4 revision. Volker (cherry picked from commit 5cfe482841b77208b68376f9e2b8a4a62271f7c9) (This used to be commit 15935bad1d756d3896f0687108e60ca10a35a936)
2006-07-15 21:55:01 +04:00
const char *username, *domname;
Use pidl for _lsa_GetUserName(). Guenther (This used to be commit b24cf05dcad5696a7b948c93de9e995c2b53e80f)
2008-02-11 22:29:31 +03:00
struct lsa_String *account_name = NULL;
struct lsa_String *authority_name = NULL;
Remove p->vuid The users can use p->server_info. Now pipes_struct is decoupled from the SMB transport. (This used to be commit d4cf5a131919530317cd457006b4df5af2c69fa7)
2008-06-24 17:24:08 +04:00
if (p->server_info->guest) {
r17064: lsa_GetUserName needs to return the name for S-1-5-7 on an anonymous login. Found that because I want to play around with setsharesecurity, for this I need the "whoami" call figuring out the SID of the currently connected user. Not activating this test yet until the build farm has picked up the new samba4 revision. Volker (cherry picked from commit 5cfe482841b77208b68376f9e2b8a4a62271f7c9) (This used to be commit 15935bad1d756d3896f0687108e60ca10a35a936)
2006-07-15 21:55:01 +04:00
/*
* I'm 99% sure this is not the right place to do this,
* global_sid_Anonymous should probably be put into the token
* instead of the guest id -- vl
*/
if (!lookup_sid(p->mem_ctx, &global_sid_Anonymous,
&domname, &username, NULL)) {
return NT_STATUS_NO_MEMORY;
}
} else {
Remove p->vuid The users can use p->server_info. Now pipes_struct is decoupled from the SMB transport. (This used to be commit d4cf5a131919530317cd457006b4df5af2c69fa7)
2008-06-24 17:24:08 +04:00
username = p->server_info->sanitized_username;
domname = pdb_get_domain(p->server_info->sam_account);
r17064: lsa_GetUserName needs to return the name for S-1-5-7 on an anonymous login. Found that because I want to play around with setsharesecurity, for this I need the "whoami" call figuring out the SID of the currently connected user. Not activating this test yet until the build farm has picked up the new samba4 revision. Volker (cherry picked from commit 5cfe482841b77208b68376f9e2b8a4a62271f7c9) (This used to be commit 15935bad1d756d3896f0687108e60ca10a35a936)
2006-07-15 21:55:01 +04:00
}
Added LsaGetConnectedCredentials patch from Manoj Naik <manoj@almaden.ibm.com>. Jeremy. (This used to be commit 7079300da6dbd950e55dc5871851250d5a3717ff)
2001-06-30 03:12:55 +04:00
Use pidl for _lsa_GetUserName(). Guenther (This used to be commit b24cf05dcad5696a7b948c93de9e995c2b53e80f)
2008-02-11 22:29:31 +03:00
account_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_String);
if (!account_name) {
return NT_STATUS_NO_MEMORY;
}
Added LsaGetConnectedCredentials patch from Manoj Naik <manoj@almaden.ibm.com>. Jeremy. (This used to be commit 7079300da6dbd950e55dc5871851250d5a3717ff)
2001-06-30 03:12:55 +04:00
Use pidl for _lsa_GetUserName(). Guenther (This used to be commit b24cf05dcad5696a7b948c93de9e995c2b53e80f)
2008-02-11 22:29:31 +03:00
authority_name = TALLOC_ZERO_P(p->mem_ctx, struct lsa_String);
if (!authority_name) {
return NT_STATUS_NO_MEMORY;
}
init_lsa_String(account_name, username);
init_lsa_String(authority_name, domname);
*r->out.account_name = account_name;
*r->out.authority_name = authority_name;
return NT_STATUS_OK;
Added LsaGetConnectedCredentials patch from Manoj Naik <manoj@almaden.ibm.com>. Jeremy. (This used to be commit 7079300da6dbd950e55dc5871851250d5a3717ff)
2001-06-30 03:12:55 +04:00
}
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
/***************************************************************************
Use pidl for _lsa_CreateAccount(). Guenther (This used to be commit d71f56a293d67971c45ee44219752a55fb21f8be)
2008-02-06 20:58:11 +03:00
_lsa_CreateAccount
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
***************************************************************************/
Use pidl for _lsa_CreateAccount(). Guenther (This used to be commit d71f56a293d67971c45ee44219752a55fb21f8be)
2008-02-06 20:58:11 +03:00
NTSTATUS _lsa_CreateAccount(pipes_struct *p,
struct lsa_CreateAccount *r)
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
{
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
struct lsa_info *handle;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
struct lsa_info *info;
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
/* find the connection policy handle. */
Use pidl for _lsa_CreateAccount(). Guenther (This used to be commit d71f56a293d67971c45ee44219752a55fb21f8be)
2008-02-06 20:58:11 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
return NT_STATUS_INVALID_HANDLE;
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
/*
* I don't know if it's the right one. not documented.
* but guessed with rpcclient.
*/
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION))
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
return NT_STATUS_ACCESS_DENIED;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
/* check to see if the pipe_user is a Domain Admin since
r4739: require membership in Domain Admins to be able to set privileges (This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
2005-01-15 00:05:54 +03:00
account_pol.tdb was already opened as root, this is all we have */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Unify access checks for lsa server functions. Jeremy.
2008-10-18 02:24:15 +04:00
if ( p->pipe_user.ut.uid != sec_initial_uid()
&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
r4739: require membership in Domain Admins to be able to set privileges (This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
2005-01-15 00:05:54 +03:00
return NT_STATUS_ACCESS_DENIED;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Use pidl for _lsa_CreateAccount(). Guenther (This used to be commit d71f56a293d67971c45ee44219752a55fb21f8be)
2008-02-06 20:58:11 +03:00
if ( is_privileged_sid( r->in.sid ) )
r4822: fix return code when you ask for a non-privileged SID via one of the privileges RPC calls (This used to be commit 3f4f2c80fd157796a7ba56f31f921e8a3ce46bc3)
2005-01-18 21:29:28 +03:00
return NT_STATUS_OBJECT_NAME_COLLISION;
r4739: require membership in Domain Admins to be able to set privileges (This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
2005-01-15 00:05:54 +03:00
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
/* associate the user/group SID with the (unique) handle. */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
return NT_STATUS_NO_MEMORY;
ZERO_STRUCTP(info);
Use pidl for _lsa_CreateAccount(). Guenther (This used to be commit d71f56a293d67971c45ee44219752a55fb21f8be)
2008-02-06 20:58:11 +03:00
info->sid = *r->in.sid;
info->access = r->in.access_mask;
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
/* get a (unique) handle. open a policy on it. */
Testing revealed some errors, reverting some of the lsa changes. Guenther (This used to be commit ac1e4f1eb2c046def4fa30ab0bd98c49add8e8c8)
2008-02-09 03:33:47 +03:00
if (!create_policy_hnd(p, r->out.acct_handle, free_lsa_info, (void *)info))
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
return privilege_create_account( &info->sid );
}
/***************************************************************************
Use pidl for _lsa_OpenAccount(). Guenther (This used to be commit e1968880a88ad2a56c5fef7d416646dcb96965ef)
2008-02-06 21:19:29 +03:00
_lsa_OpenAccount
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
***************************************************************************/
Use pidl for _lsa_OpenAccount(). Guenther (This used to be commit e1968880a88ad2a56c5fef7d416646dcb96965ef)
2008-02-06 21:19:29 +03:00
NTSTATUS _lsa_OpenAccount(pipes_struct *p,
struct lsa_OpenAccount *r)
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
{
struct lsa_info *handle;
struct lsa_info *info;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
/* find the connection policy handle. */
Use pidl for _lsa_OpenAccount(). Guenther (This used to be commit e1968880a88ad2a56c5fef7d416646dcb96965ef)
2008-02-06 21:19:29 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE;
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
/*
* I don't know if it's the right one. not documented.
* but guessed with rpcclient.
*/
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_GET_PRIVATE_INFORMATION))
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_ACCESS_DENIED;
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
/* TODO: Fis the parsing routine before reenabling this check! */
#if 0
if (!lookup_sid(&handle->sid, dom_name, name, &type))
return NT_STATUS_ACCESS_DENIED;
#endif
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
/* associate the user/group SID with the (unique) handle. */
r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2004-12-07 21:25:53 +03:00
if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
return NT_STATUS_NO_MEMORY;
ZERO_STRUCTP(info);
Use pidl for _lsa_OpenAccount(). Guenther (This used to be commit e1968880a88ad2a56c5fef7d416646dcb96965ef)
2008-02-06 21:19:29 +03:00
info->sid = *r->in.sid;
info->access = r->in.access_mask;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
/* get a (unique) handle. open a policy on it. */
Testing revealed some errors, reverting some of the lsa changes. Guenther (This used to be commit ac1e4f1eb2c046def4fa30ab0bd98c49add8e8c8)
2008-02-09 03:33:47 +03:00
if (!create_policy_hnd(p, r->out.acct_handle, free_lsa_info, (void *)info))
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
return NT_STATUS_OK;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
}
/***************************************************************************
Use pidl for _lsa_EnumPrivsAccount(). Guenther (This used to be commit d7655932a7cb436f1ee44e443882e2f06d598aa0)
2008-02-14 03:53:00 +03:00
_lsa_EnumPrivsAccount
Changed how the privileges are stored in the group mapping code. It's now an array of uint32. That's not perfect but that's better. Added more privileges too. Changed the local_lookup_rid/name functions in passdb.c to check if the group is mapped. Makes the LSA rpc calls return correct groups Corrected the return code in the LSA server code enum_sids. Only enumerate well known aliases if they are mapped to real unix groups. Won't confuse user seeing groups not available. Added a short/long view to smbgroupedit. now decoding rpc calls to add/remove privileges to sid. J.F. (This used to be commit f29774e58973f421bfa163c45bfae201a140f28c)
2001-11-23 18:11:22 +03:00
For a given SID, enumerate all the privilege this account has.
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
***************************************************************************/
Use pidl for _lsa_EnumPrivsAccount(). Guenther (This used to be commit d7655932a7cb436f1ee44e443882e2f06d598aa0)
2008-02-14 03:53:00 +03:00
NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
struct lsa_EnumPrivsAccount *r)
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
{
Use pidl for _lsa_EnumPrivsAccount(). Guenther (This used to be commit d7655932a7cb436f1ee44e443882e2f06d598aa0)
2008-02-14 03:53:00 +03:00
NTSTATUS status = NT_STATUS_OK;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
struct lsa_info *info=NULL;
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
SE_PRIV mask;
PRIVILEGE_SET privileges;
Use pidl for _lsa_EnumPrivsAccount(). Guenther (This used to be commit d7655932a7cb436f1ee44e443882e2f06d598aa0)
2008-02-14 03:53:00 +03:00
struct lsa_PrivilegeSet *priv_set = NULL;
struct lsa_LUIDAttribute *luid_attrs = NULL;
int i;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
/* find the connection policy handle. */
Use pidl for _lsa_EnumPrivsAccount(). Guenther (This used to be commit d7655932a7cb436f1ee44e443882e2f06d598aa0)
2008-02-14 03:53:00 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE;
Unify access checks for lsa server functions. Jeremy.
2008-10-18 02:24:15 +04:00
if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
Use pidl for _lsa_EnumPrivsAccount(). Guenther (This used to be commit d7655932a7cb436f1ee44e443882e2f06d598aa0)
2008-02-14 03:53:00 +03:00
if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
privilege_set_init( &privileges );
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
Use pidl for _lsa_EnumPrivsAccount(). Guenther (This used to be commit d7655932a7cb436f1ee44e443882e2f06d598aa0)
2008-02-14 03:53:00 +03:00
DEBUG(10,("_lsa_EnumPrivsAccount: %s has %d privileges\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(&info->sid),
privileges.count));
Ok, this patch removes the privilege stuff we had in, unused, for some time. The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 19:24:10 +04:00
Use pidl for _lsa_EnumPrivsAccount(). Guenther (This used to be commit d7655932a7cb436f1ee44e443882e2f06d598aa0)
2008-02-14 03:53:00 +03:00
priv_set = TALLOC_ZERO_P(p->mem_ctx, struct lsa_PrivilegeSet);
if (!priv_set) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
luid_attrs = TALLOC_ZERO_ARRAY(p->mem_ctx,
struct lsa_LUIDAttribute,
privileges.count);
if (!luid_attrs) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
for (i=0; i<privileges.count; i++) {
luid_attrs[i].luid.low = privileges.set[i].luid.low;
luid_attrs[i].luid.high = privileges.set[i].luid.high;
luid_attrs[i].attribute = privileges.set[i].attr;
}
priv_set->count = privileges.count;
priv_set->unknown = 0;
priv_set->set = luid_attrs;
*r->out.privs = priv_set;
} else {
status = NT_STATUS_NO_SUCH_PRIVILEGE;
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
}
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
Use pidl for _lsa_EnumPrivsAccount(). Guenther (This used to be commit d7655932a7cb436f1ee44e443882e2f06d598aa0)
2008-02-14 03:53:00 +03:00
done:
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
privilege_set_free( &privileges );
Use pidl for _lsa_EnumPrivsAccount(). Guenther (This used to be commit d7655932a7cb436f1ee44e443882e2f06d598aa0)
2008-02-14 03:53:00 +03:00
return status;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
}
/***************************************************************************
Use pidl for _lsa_GetSystemAccessAccount(). Guenther (This used to be commit aaf662a724f1bae5333666caf8b2fbe908f13992)
2008-02-08 20:54:02 +03:00
_lsa_GetSystemAccessAccount
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
***************************************************************************/
Use pidl for _lsa_GetSystemAccessAccount(). Guenther (This used to be commit aaf662a724f1bae5333666caf8b2fbe908f13992)
2008-02-08 20:54:02 +03:00
NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
struct lsa_GetSystemAccessAccount *r)
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
{
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
struct lsa_info *info=NULL;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
/* find the connection policy handle. */
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
Use pidl for _lsa_GetSystemAccessAccount(). Guenther (This used to be commit aaf662a724f1bae5333666caf8b2fbe908f13992)
2008-02-08 20:54:02 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
return NT_STATUS_INVALID_HANDLE;
Unify access checks for lsa server functions. Jeremy.
2008-10-18 02:24:15 +04:00
if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2005-12-03 21:34:13 +03:00
if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
[GLUE] Rsync SAMBA_3_2_0 SVN r25598 in order to create the v3-2-test branch. (This used to be commit 5c6c8e1fe93f340005110a7833946191659d88ab)
2007-10-11 00:34:30 +04:00
return NT_STATUS_ACCESS_DENIED;
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
/*
0x01 -> Log on locally
0x02 -> Access this computer from network
0x04 -> Log on as a batch job
0x10 -> Log on as a service
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
they can be ORed together
*/
Use pidl for _lsa_GetSystemAccessAccount(). Guenther (This used to be commit aaf662a724f1bae5333666caf8b2fbe908f13992)
2008-02-08 20:54:02 +03:00
*r->out.access_mask = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
return NT_STATUS_OK;
implement: LSA_ENUM_PRIVS LSA_PRIV_GET_DISPNAME LSA_ENUM_ACCOUNTS LSA_OPENACCOUNT LSA_ENUMPRIVSACCOUNT LSA_GETSYSTEMACCOUNT It's a work in progress. nobody should expect it to work J.F. (This used to be commit 3056357cd8d4b2460f73ba8a8931a143f07fa2a6)
2001-07-09 22:32:54 +04:00
}
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
/***************************************************************************
update the systemaccount information
***************************************************************************/
Use pidl for _lsa_SetSystemAccessAccount(). Guenther (This used to be commit 478612b79d11fa1ad3bf16e317d63c2a00e1957a)
2008-02-08 20:32:05 +03:00
NTSTATUS _lsa_SetSystemAccessAccount(pipes_struct *p,
struct lsa_SetSystemAccessAccount *r)
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
{
struct lsa_info *info=NULL;
GROUP_MAP map;
/* find the connection policy handle. */
Use pidl for _lsa_SetSystemAccessAccount(). Guenther (This used to be commit 478612b79d11fa1ad3bf16e317d63c2a00e1957a)
2008-02-08 20:32:05 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
return NT_STATUS_INVALID_HANDLE;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
/* check to see if the pipe_user is a Domain Admin since
r4739: require membership in Domain Admins to be able to set privileges (This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
2005-01-15 00:05:54 +03:00
account_pol.tdb was already opened as root, this is all we have */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Unify access checks for lsa server functions. Jeremy.
2008-10-18 02:24:15 +04:00
if ( p->pipe_user.ut.uid != sec_initial_uid()
&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
r4739: require membership in Domain Admins to be able to set privileges (This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
2005-01-15 00:05:54 +03:00
return NT_STATUS_ACCESS_DENIED;
r17554: Cleanup (This used to be commit 761cbd52f0cff6b864c506ec03c94039b6101ef9)
2006-08-15 18:07:15 +04:00
if (!pdb_getgrsid(&map, info->sid))
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
return NT_STATUS_NO_SUCH_GROUP;
r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2006-02-04 01:19:41 +03:00
return pdb_update_group_mapping_entry(&map);
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
}
/***************************************************************************
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
_lsa_AddPrivilegesToAccount
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
For a given SID, add some privileges.
***************************************************************************/
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
NTSTATUS _lsa_AddPrivilegesToAccount(pipes_struct *p,
struct lsa_AddPrivilegesToAccount *r)
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
{
split some security related functions in their own files. (no need to include all of smbd files to use some basic sec functions) also minor compile fixes couldn't compile to test these due to some kerberos problems wirh 3.0, but on HEAD they're working well, so I suppose it's ok to commit (This used to be commit c78f2d0bd15ecd2ba643bb141cc35a3405787aa1)
2003-10-06 05:38:46 +04:00
struct lsa_info *info = NULL;
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
SE_PRIV mask;
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
struct lsa_PrivilegeSet *set = NULL;
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
/* find the connection policy handle. */
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
return NT_STATUS_INVALID_HANDLE;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
/* check to see if the pipe_user is root or a Domain Admin since
r4739: require membership in Domain Admins to be able to set privileges (This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
2005-01-15 00:05:54 +03:00
account_pol.tdb was already opened as root, this is all we have */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
if ( p->pipe_user.ut.uid != sec_initial_uid()
r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask define * make sure to apply the rights_mask and not just the saved bits from the mask in access_check_samr_object() * allow root to grant/revoke privileges (in addition to Domain Admins) as suggested by Volker. Tested machine joins from XP, 2K, and NT4 with and without pre-existing machine trust accounts. Also tested basic file operations using cmd.exe and explorer.exe after changing the STANDARD_RIGHTS_WRITE_ACCESS bitmask. (This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36)
2005-01-28 19:55:09 +03:00
&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
{
r4739: require membership in Domain Admins to be able to set privileges (This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
2005-01-15 00:05:54 +03:00
return NT_STATUS_ACCESS_DENIED;
r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask define * make sure to apply the rights_mask and not just the saved bits from the mask in access_check_samr_object() * allow root to grant/revoke privileges (in addition to Domain Admins) as suggested by Volker. Tested machine joins from XP, 2K, and NT4 with and without pre-existing machine trust accounts. Also tested basic file operations using cmd.exe and explorer.exe after changing the STANDARD_RIGHTS_WRITE_ACCESS bitmask. (This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36)
2005-01-28 19:55:09 +03:00
}
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
set = r->in.privs;
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
if ( !privilege_set_to_se_priv( &mask, set ) )
return NT_STATUS_NO_SUCH_PRIVILEGE;
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
if ( !grant_privilege( &info->sid, &mask ) ) {
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
DEBUG(3,("_lsa_AddPrivilegesToAccount: grant_privilege(%s) failed!\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(&info->sid) ));
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
DEBUG(3,("Privilege mask:\n"));
dump_se_priv( DBGC_ALL, 3, &mask );
return NT_STATUS_NO_SUCH_PRIVILEGE;
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
}
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
return NT_STATUS_OK;
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
}
/***************************************************************************
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
_lsa_RemovePrivilegesFromAccount
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
For a given SID, remove some privileges.
***************************************************************************/
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
NTSTATUS _lsa_RemovePrivilegesFromAccount(pipes_struct *p,
struct lsa_RemovePrivilegesFromAccount *r)
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
{
split some security related functions in their own files. (no need to include all of smbd files to use some basic sec functions) also minor compile fixes couldn't compile to test these due to some kerberos problems wirh 3.0, but on HEAD they're working well, so I suppose it's ok to commit (This used to be commit c78f2d0bd15ecd2ba643bb141cc35a3405787aa1)
2003-10-06 05:38:46 +04:00
struct lsa_info *info = NULL;
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
SE_PRIV mask;
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
struct lsa_PrivilegeSet *set = NULL;
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
/* find the connection policy handle. */
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
return NT_STATUS_INVALID_HANDLE;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
/* check to see if the pipe_user is root or a Domain Admin since
r4739: require membership in Domain Admins to be able to set privileges (This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
2005-01-15 00:05:54 +03:00
account_pol.tdb was already opened as root, this is all we have */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
if ( p->pipe_user.ut.uid != sec_initial_uid()
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask define * make sure to apply the rights_mask and not just the saved bits from the mask in access_check_samr_object() * allow root to grant/revoke privileges (in addition to Domain Admins) as suggested by Volker. Tested machine joins from XP, 2K, and NT4 with and without pre-existing machine trust accounts. Also tested basic file operations using cmd.exe and explorer.exe after changing the STANDARD_RIGHTS_WRITE_ACCESS bitmask. (This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36)
2005-01-28 19:55:09 +03:00
{
r4739: require membership in Domain Admins to be able to set privileges (This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
2005-01-15 00:05:54 +03:00
return NT_STATUS_ACCESS_DENIED;
r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask define * make sure to apply the rights_mask and not just the saved bits from the mask in access_check_samr_object() * allow root to grant/revoke privileges (in addition to Domain Admins) as suggested by Volker. Tested machine joins from XP, 2K, and NT4 with and without pre-existing machine trust accounts. Also tested basic file operations using cmd.exe and explorer.exe after changing the STANDARD_RIGHTS_WRITE_ACCESS bitmask. (This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36)
2005-01-28 19:55:09 +03:00
}
r4739: require membership in Domain Admins to be able to set privileges (This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
2005-01-15 00:05:54 +03:00
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
set = r->in.privs;
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
if ( !privilege_set_to_se_priv( &mask, set ) )
return NT_STATUS_NO_SUCH_PRIVILEGE;
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
if ( !revoke_privilege( &info->sid, &mask ) ) {
Use pidl for _lsa_AddPrivilegesToAccount and _lsa_RemovePrivilegesFromAccount. Guenther (This used to be commit 0c9904864b5c3b893f99abdebb18d9624aa0f560)
2008-02-14 15:50:32 +03:00
DEBUG(3,("_lsa_RemovePrivilegesFromAccount: revoke_privilege(%s) failed!\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(&info->sid) ));
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
DEBUG(3,("Privilege mask:\n"));
dump_se_priv( DBGC_ALL, 3, &mask );
return NT_STATUS_NO_SUCH_PRIVILEGE;
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
}
r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2005-01-13 21:20:37 +03:00
return NT_STATUS_OK;
Changed again how the privilege list is handled in the group mapping code. This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-29 19:05:05 +03:00
}
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
/***************************************************************************
Use pidl for _lsa_QuerySecurity(). Guenther (This used to be commit 6b2f205844b1e2af4c74247fed13d6e383319067)
2008-02-04 23:13:19 +03:00
_lsa_QuerySecurity
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
***************************************************************************/
Use pidl for _lsa_QuerySecurity(). Guenther (This used to be commit 6b2f205844b1e2af4c74247fed13d6e383319067)
2008-02-04 23:13:19 +03:00
NTSTATUS _lsa_QuerySecurity(pipes_struct *p,
struct lsa_QuerySecurity *r)
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
{
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
struct lsa_info *handle=NULL;
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
SEC_DESC *psd = NULL;
size_t sd_size;
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
NTSTATUS status;
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
/* find the connection policy handle. */
Use pidl for _lsa_QuerySecurity(). Guenther (This used to be commit 6b2f205844b1e2af4c74247fed13d6e383319067)
2008-02-04 23:13:19 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
return NT_STATUS_INVALID_HANDLE;
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
return NT_STATUS_ACCESS_DENIED;
Use pidl for _lsa_QuerySecurity(). Guenther (This used to be commit 6b2f205844b1e2af4c74247fed13d6e383319067)
2008-02-04 23:13:19 +03:00
switch (r->in.sec_info) {
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
case 1:
/* SD contains only the owner */
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
if(!NT_STATUS_IS_OK(status))
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
return NT_STATUS_NO_MEMORY;
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
Use pidl for _lsa_QuerySecurity(). Guenther (This used to be commit 6b2f205844b1e2af4c74247fed13d6e383319067)
2008-02-04 23:13:19 +03:00
if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
return NT_STATUS_NO_MEMORY;
break;
case 4:
/* SD contains only the ACL */
there is no unknown field in LSA_SEC_QOS some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the length fields are not correct but that's what NT send. We don't anymore underflow or overflow the decoding. added the domain admins group to the default SD. we are now checking the desired access flag in the lsa_open_policy_X() calls and in most functions also. J.F. (This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
2001-12-18 02:03:23 +03:00
status=lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
if(!NT_STATUS_IS_OK(status))
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
return NT_STATUS_NO_MEMORY;
Use pidl for _lsa_QuerySecurity(). Guenther (This used to be commit 6b2f205844b1e2af4c74247fed13d6e383319067)
2008-02-04 23:13:19 +03:00
if((*r->out.sdbuf = make_sec_desc_buf(p->mem_ctx, sd_size, psd)) == NULL)
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
return NT_STATUS_NO_MEMORY;
break;
default:
return NT_STATUS_INVALID_LEVEL;
}
Use pidl for _lsa_QuerySecurity(). Guenther (This used to be commit 6b2f205844b1e2af4c74247fed13d6e383319067)
2008-02-04 23:13:19 +03:00
return status;
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
}
r5726: merge LsaLookupPrivValue() code from trunk (This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2005-03-10 21:50:47 +03:00
#if 0 /* AD DC work in ongoing in Samba 4 */
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
/***************************************************************************
***************************************************************************/
add lsa_query_secobj server code. level 4 is the ACL, level 1 is the owner. that's basic stuff. got the POLICY_ define from TNG but they are also in an include file in the NT SDK. J.F. (This used to be commit 84289a9bf42847981926e198ad36c050904fa9ed)
2001-12-14 20:31:48 +03:00
Remove unused marshalling for LSA_QUERY_INFO2. Guenther (This used to be commit 0fac016d9d0018c983576d5cc8c3e06f40360b73)
2008-02-08 03:56:09 +03:00
NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_INFO2 *r_u)
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
{
struct lsa_info *handle;
Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-13 02:20:50 +03:00
const char *nb_name;
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
char *dns_name = NULL;
char *forest_name = NULL;
DOM_SID *sid = NULL;
r18680: Fix last struct uuids (in uncommented code). Guenther (This used to be commit 41c79ee5accb13f73d1f65b303d723ca2ff49933)
2006-09-19 21:29:31 +04:00
struct GUID guid;
Make our 'get DNS domain name' code try a bit harder - if gethostname() doesn't include a domain portion, do a gethostbyname() lookup on that name. Use this name in our PolicyPrimaryDomainInformation reply (_lsa_query_info2) that Win2k uses when trying to trust us as a trusted domain. (We need to do a better mapping between our Netbios and Win2k domain names, but this will do for now - particularly annoying is the way this possibly needs to map with our kerberos realm). Andrew Bartlett (This used to be commit 3be03271030208a69da29c6e2a7b92cdbaa8c6aa)
2003-04-22 11:28:41 +04:00
fstring dnsdomname;
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
ZERO_STRUCT(guid);
r_u->status = NT_STATUS_OK;
r12043: It's amazing the warnings you find when compiling on a 64-bit box with gcc4 and -O6... Fix a bunch of C99 dereferencing type-punned pointer will break strict-aliasing rules errors. Also added prs_int32 (not uint32...) as it's needed in one place. Find places where prs_uint32 was being used to marshall/unmarshall a time_t (a big no no on 64-bits). More warning fixes to come. Thanks to Volker for nudging me to compile like this. Jeremy. (This used to be commit c65b752604f8f58abc4e7ae8514dc2c7f086271c)
2005-12-03 09:46:46 +03:00
if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&handle))
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
return NT_STATUS_INVALID_HANDLE;
switch (q_u->info_class) {
case 0x0c:
Fix typos. the user have -> has Karolin (This used to be commit 1ee2ad1051e6076709ef8ed2f45bebff10b0c3cf)
2008-07-18 17:31:36 +04:00
/* check if the user has enough rights */
Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2)
2008-02-27 17:49:31 +03:00
if (!(handle->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
return NT_STATUS_ACCESS_DENIED;
/* Request PolicyPrimaryDomainInformation. */
switch (lp_server_role()) {
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
Set our 'global sam name' in one place. For domain controllers, this is lp_workgroup(), for all other server this is global_myname(). This is the name of the domain for accounts on *this* system, and getting this wrong caused interesting bugs with 'take ownership' on member servers and standalone servers at Snap. (They lookup the username that they got, then convert that to a SID - but becouse the domain out of the smbpasswd entry was wrong, we would fail the lookup). Andrew Bartlett (This used to be commit 5fc78eba20411f3f5a8ccadfcba5c4ab73180dba)
2003-05-07 12:21:06 +04:00
nb_name = get_global_sam_name();
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
/* ugly temp hack for these next two */
Make our 'get DNS domain name' code try a bit harder - if gethostname() doesn't include a domain portion, do a gethostbyname() lookup on that name. Use this name in our PolicyPrimaryDomainInformation reply (_lsa_query_info2) that Win2k uses when trying to trust us as a trusted domain. (We need to do a better mapping between our Netbios and Win2k domain names, but this will do for now - particularly annoying is the way this possibly needs to map with our kerberos realm). Andrew Bartlett (This used to be commit 3be03271030208a69da29c6e2a7b92cdbaa8c6aa)
2003-04-22 11:28:41 +04:00
/* This should be a 'netbios domain -> DNS domain' mapping */
Remove more fstring/pstring bad useage. Go talloc ! Jeremy. (This used to be commit 2a0173743d2cf615d52278f3dd87cc804abe2d16)
2007-11-09 04:25:45 +03:00
dnsdomname = get_mydnsdomname(p->mem_ctx);
Fix case where we have no dns domain name. Return a talloc of "". Jeremy. (This used to be commit ab8934844a8ae08657769ce1787c32f14a7eb745)
2007-11-09 04:58:55 +03:00
if (!dnsdomname || !*dnsdomname) {
Remove more fstring/pstring bad useage. Go talloc ! Jeremy. (This used to be commit 2a0173743d2cf615d52278f3dd87cc804abe2d16)
2007-11-09 04:25:45 +03:00
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
Removed strupper/strlower macros that automatically map to strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-03 23:11:31 +04:00
strlower_m(dnsdomname);
Remove more fstring/pstring bad useage. Go talloc ! Jeremy. (This used to be commit 2a0173743d2cf615d52278f3dd87cc804abe2d16)
2007-11-09 04:25:45 +03:00
Make our 'get DNS domain name' code try a bit harder - if gethostname() doesn't include a domain portion, do a gethostbyname() lookup on that name. Use this name in our PolicyPrimaryDomainInformation reply (_lsa_query_info2) that Win2k uses when trying to trust us as a trusted domain. (We need to do a better mapping between our Netbios and Win2k domain names, but this will do for now - particularly annoying is the way this possibly needs to map with our kerberos realm). Andrew Bartlett (This used to be commit 3be03271030208a69da29c6e2a7b92cdbaa8c6aa)
2003-04-22 11:28:41 +04:00
dns_name = dnsdomname;
forest_name = dnsdomname;
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
sid = get_global_sam_sid();
Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-13 02:20:50 +03:00
secrets_fetch_domain_guid(lp_workgroup(), &guid);
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
break;
default:
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
init_dns_dom_info(&r_u->info.dns_dom_info, nb_name, dns_name,
Sync 3.0 branch with HEAD (This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-08-17 19:34:15 +04:00
forest_name,&guid,sid);
break;
default:
DEBUG(0,("_lsa_query_info2: unknown info level in Lsa Query: %d\n", q_u->info_class));
r_u->status = NT_STATUS_INVALID_INFO_CLASS;
break;
}
if (NT_STATUS_IS_OK(r_u->status)) {
r_u->ptr = 0x1;
r_u->info_class = q_u->info_class;
}
return r_u->status;
}
r5726: merge LsaLookupPrivValue() code from trunk (This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2005-03-10 21:50:47 +03:00
#endif /* AD DC work in ongoing in Samba 4 */
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
/***************************************************************************
Use pidl for _lsa_AddAccountRights(). Guenther (This used to be commit 253cf1523871f2218e9e59b0a01f47b8bc745ac9)
2008-02-14 16:21:49 +03:00
_lsa_AddAccountRights
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
***************************************************************************/
Use pidl for _lsa_AddAccountRights(). Guenther (This used to be commit 253cf1523871f2218e9e59b0a01f47b8bc745ac9)
2008-02-14 16:21:49 +03:00
NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
struct lsa_AddAccountRights *r)
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
{
struct lsa_info *info = NULL;
int i = 0;
DOM_SID sid;
/* find the connection policy handle. */
Use pidl for _lsa_AddAccountRights(). Guenther (This used to be commit 253cf1523871f2218e9e59b0a01f47b8bc745ac9)
2008-02-14 16:21:49 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
return NT_STATUS_INVALID_HANDLE;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
/* check to see if the pipe_user is a Domain Admin since
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
account_pol.tdb was already opened as root, this is all we have */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
if ( p->pipe_user.ut.uid != sec_initial_uid()
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
r5383: add missing checks to allow root to manage user rights (This used to be commit ead54b14f6b34f087d3affc2853e16bbbaceb7cc)
2005-02-14 04:13:14 +03:00
{
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
return NT_STATUS_ACCESS_DENIED;
r5383: add missing checks to allow root to manage user rights (This used to be commit ead54b14f6b34f087d3affc2853e16bbbaceb7cc)
2005-02-14 04:13:14 +03:00
}
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
/* according to an NT4 PDC, you can add privileges to SIDs even without
call_lsa_create_account() first. And you can use any arbitrary SID. */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Use pidl for _lsa_AddAccountRights(). Guenther (This used to be commit 253cf1523871f2218e9e59b0a01f47b8bc745ac9)
2008-02-14 16:21:49 +03:00
sid_copy( &sid, r->in.sid );
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Use pidl for _lsa_AddAccountRights(). Guenther (This used to be commit 253cf1523871f2218e9e59b0a01f47b8bc745ac9)
2008-02-14 16:21:49 +03:00
for ( i=0; i < r->in.rights->count; i++ ) {
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Use pidl for _lsa_AddAccountRights(). Guenther (This used to be commit 253cf1523871f2218e9e59b0a01f47b8bc745ac9)
2008-02-14 16:21:49 +03:00
const char *privname = r->in.rights->names[i].string;
r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count ) * add some backwards compatibility to 'net rpc rights list' * verify privilege name in 'net rpc rights privileges <name>' in order to give back better error messages. (This used to be commit 0e29dc8aa384dfa6d2495beb8a9ffb5371e60a13)
2005-03-26 09:52:56 +03:00
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
/* only try to add non-null strings */
r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count ) * add some backwards compatibility to 'net rpc rights list' * verify privilege name in 'net rpc rights privileges <name>' in order to give back better error messages. (This used to be commit 0e29dc8aa384dfa6d2495beb8a9ffb5371e60a13)
2005-03-26 09:52:56 +03:00
Use pidl for _lsa_AddAccountRights(). Guenther (This used to be commit 253cf1523871f2218e9e59b0a01f47b8bc745ac9)
2008-02-14 16:21:49 +03:00
if ( !privname )
r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count ) * add some backwards compatibility to 'net rpc rights list' * verify privilege name in 'net rpc rights privileges <name>' in order to give back better error messages. (This used to be commit 0e29dc8aa384dfa6d2495beb8a9ffb5371e60a13)
2005-03-26 09:52:56 +03:00
continue;
if ( !grant_privilege_by_name( &sid, privname ) ) {
Use pidl for _lsa_AddAccountRights(). Guenther (This used to be commit 253cf1523871f2218e9e59b0a01f47b8bc745ac9)
2008-02-14 16:21:49 +03:00
DEBUG(2,("_lsa_AddAccountRights: Failed to add privilege [%s]\n",
privname ));
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
return NT_STATUS_NO_SUCH_PRIVILEGE;
}
}
return NT_STATUS_OK;
}
/***************************************************************************
Use pidl for _lsa_RemoveAccountRights. Guenther (This used to be commit 39f8508f5d978a936779fdfd51b90fec4faa4301)
2008-02-14 17:20:18 +03:00
_lsa_RemoveAccountRights
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
***************************************************************************/
Use pidl for _lsa_RemoveAccountRights. Guenther (This used to be commit 39f8508f5d978a936779fdfd51b90fec4faa4301)
2008-02-14 17:20:18 +03:00
NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
struct lsa_RemoveAccountRights *r)
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
{
struct lsa_info *info = NULL;
int i = 0;
DOM_SID sid;
Use pidl for _lsa_RemoveAccountRights. Guenther (This used to be commit 39f8508f5d978a936779fdfd51b90fec4faa4301)
2008-02-14 17:20:18 +03:00
const char *privname = NULL;
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
/* find the connection policy handle. */
Use pidl for _lsa_RemoveAccountRights. Guenther (This used to be commit 39f8508f5d978a936779fdfd51b90fec4faa4301)
2008-02-14 17:20:18 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
return NT_STATUS_INVALID_HANDLE;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
/* check to see if the pipe_user is a Domain Admin since
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
account_pol.tdb was already opened as root, this is all we have */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2006-07-11 22:01:26 +04:00
if ( p->pipe_user.ut.uid != sec_initial_uid()
r5383: add missing checks to allow root to manage user rights (This used to be commit ead54b14f6b34f087d3affc2853e16bbbaceb7cc)
2005-02-14 04:13:14 +03:00
&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
{
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
return NT_STATUS_ACCESS_DENIED;
r5383: add missing checks to allow root to manage user rights (This used to be commit ead54b14f6b34f087d3affc2853e16bbbaceb7cc)
2005-02-14 04:13:14 +03:00
}
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
Use pidl for _lsa_RemoveAccountRights. Guenther (This used to be commit 39f8508f5d978a936779fdfd51b90fec4faa4301)
2008-02-14 17:20:18 +03:00
sid_copy( &sid, r->in.sid );
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
Use pidl for _lsa_RemoveAccountRights. Guenther (This used to be commit 39f8508f5d978a936779fdfd51b90fec4faa4301)
2008-02-14 17:20:18 +03:00
if ( r->in.remove_all ) {
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
if ( !revoke_all_privileges( &sid ) )
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
return NT_STATUS_ACCESS_DENIED;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
return NT_STATUS_OK;
}
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Use pidl for _lsa_RemoveAccountRights. Guenther (This used to be commit 39f8508f5d978a936779fdfd51b90fec4faa4301)
2008-02-14 17:20:18 +03:00
for ( i=0; i < r->in.rights->count; i++ ) {
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Use pidl for _lsa_RemoveAccountRights. Guenther (This used to be commit 39f8508f5d978a936779fdfd51b90fec4faa4301)
2008-02-14 17:20:18 +03:00
privname = r->in.rights->names[i].string;
r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count ) * add some backwards compatibility to 'net rpc rights list' * verify privilege name in 'net rpc rights privileges <name>' in order to give back better error messages. (This used to be commit 0e29dc8aa384dfa6d2495beb8a9ffb5371e60a13)
2005-03-26 09:52:56 +03:00
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
/* only try to add non-null strings */
r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count ) * add some backwards compatibility to 'net rpc rights list' * verify privilege name in 'net rpc rights privileges <name>' in order to give back better error messages. (This used to be commit 0e29dc8aa384dfa6d2495beb8a9ffb5371e60a13)
2005-03-26 09:52:56 +03:00
Use pidl for _lsa_RemoveAccountRights. Guenther (This used to be commit 39f8508f5d978a936779fdfd51b90fec4faa4301)
2008-02-14 17:20:18 +03:00
if ( !privname )
r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count ) * add some backwards compatibility to 'net rpc rights list' * verify privilege name in 'net rpc rights privileges <name>' in order to give back better error messages. (This used to be commit 0e29dc8aa384dfa6d2495beb8a9ffb5371e60a13)
2005-03-26 09:52:56 +03:00
continue;
if ( !revoke_privilege_by_name( &sid, privname ) ) {
Use pidl for _lsa_RemoveAccountRights. Guenther (This used to be commit 39f8508f5d978a936779fdfd51b90fec4faa4301)
2008-02-14 17:20:18 +03:00
DEBUG(2,("_lsa_RemoveAccountRights: Failed to revoke privilege [%s]\n",
privname ));
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
return NT_STATUS_NO_SUCH_PRIVILEGE;
}
}
return NT_STATUS_OK;
}
Use pidl for _lsa_EnumAccountRights(). Guenther (This used to be commit cb6a84712cf91d104206356f0ac256a071868d66)
2008-02-14 17:02:31 +03:00
/*******************************************************************
********************************************************************/
static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
struct lsa_RightSet *r,
PRIVILEGE_SET *privileges)
{
uint32 i;
const char *privname;
const char **privname_array = NULL;
int num_priv = 0;
for (i=0; i<privileges->count; i++) {
privname = luid_to_privilege_name(&privileges->set[i].luid);
if (privname) {
if (!add_string_to_array(mem_ctx, privname,
&privname_array, &num_priv)) {
return NT_STATUS_NO_MEMORY;
}
}
}
if (num_priv) {
r->names = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_StringLarge,
num_priv);
if (!r->names) {
return NT_STATUS_NO_MEMORY;
}
for (i=0; i<num_priv; i++) {
init_lsa_StringLarge(&r->names[i], privname_array[i]);
}
r->count = num_priv;
}
return NT_STATUS_OK;
}
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2005-01-15 05:20:30 +03:00
r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count ) * add some backwards compatibility to 'net rpc rights list' * verify privilege name in 'net rpc rights privileges <name>' in order to give back better error messages. (This used to be commit 0e29dc8aa384dfa6d2495beb8a9ffb5371e60a13)
2005-03-26 09:52:56 +03:00
/***************************************************************************
Use pidl for _lsa_EnumAccountRights(). Guenther (This used to be commit cb6a84712cf91d104206356f0ac256a071868d66)
2008-02-14 17:02:31 +03:00
_lsa_EnumAccountRights
r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count ) * add some backwards compatibility to 'net rpc rights list' * verify privilege name in 'net rpc rights privileges <name>' in order to give back better error messages. (This used to be commit 0e29dc8aa384dfa6d2495beb8a9ffb5371e60a13)
2005-03-26 09:52:56 +03:00
***************************************************************************/
Use pidl for _lsa_EnumAccountRights(). Guenther (This used to be commit cb6a84712cf91d104206356f0ac256a071868d66)
2008-02-14 17:02:31 +03:00
NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
struct lsa_EnumAccountRights *r)
r4746: add server support for lsa_enum_acct_rights(); last checkin for the night (This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2005-01-15 06:54:03 +03:00
{
Use pidl for _lsa_EnumAccountRights(). Guenther (This used to be commit cb6a84712cf91d104206356f0ac256a071868d66)
2008-02-14 17:02:31 +03:00
NTSTATUS status;
r4746: add server support for lsa_enum_acct_rights(); last checkin for the night (This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2005-01-15 06:54:03 +03:00
struct lsa_info *info = NULL;
DOM_SID sid;
PRIVILEGE_SET privileges;
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
SE_PRIV mask;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
r4746: add server support for lsa_enum_acct_rights(); last checkin for the night (This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2005-01-15 06:54:03 +03:00
/* find the connection policy handle. */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Use pidl for _lsa_EnumAccountRights(). Guenther (This used to be commit cb6a84712cf91d104206356f0ac256a071868d66)
2008-02-14 17:02:31 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
r4746: add server support for lsa_enum_acct_rights(); last checkin for the night (This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2005-01-15 06:54:03 +03:00
return NT_STATUS_INVALID_HANDLE;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Unify access checks for lsa server functions. Jeremy.
2008-10-18 02:24:15 +04:00
if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
r4746: add server support for lsa_enum_acct_rights(); last checkin for the night (This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2005-01-15 06:54:03 +03:00
/* according to an NT4 PDC, you can add privileges to SIDs even without
call_lsa_create_account() first. And you can use any arbitrary SID. */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Use pidl for _lsa_EnumAccountRights(). Guenther (This used to be commit cb6a84712cf91d104206356f0ac256a071868d66)
2008-02-14 17:02:31 +03:00
sid_copy( &sid, r->in.sid );
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
if ( !get_privileges_for_sids( &mask, &sid, 1 ) )
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
r4746: add server support for lsa_enum_acct_rights(); last checkin for the night (This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2005-01-15 06:54:03 +03:00
privilege_set_init( &privileges );
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
if ( se_priv_to_privilege_set( &privileges, &mask ) ) {
Use pidl for _lsa_EnumAccountRights(). Guenther (This used to be commit cb6a84712cf91d104206356f0ac256a071868d66)
2008-02-14 17:02:31 +03:00
DEBUG(10,("_lsa_EnumAccountRights: %s has %d privileges\n",
Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15 23:11:36 +03:00
sid_string_dbg(&sid), privileges.count));
r4746: add server support for lsa_enum_acct_rights(); last checkin for the night (This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2005-01-15 06:54:03 +03:00
Use pidl for _lsa_EnumAccountRights(). Guenther (This used to be commit cb6a84712cf91d104206356f0ac256a071868d66)
2008-02-14 17:02:31 +03:00
status = init_lsa_right_set(p->mem_ctx, r->out.rights, &privileges);
} else {
status = NT_STATUS_NO_SUCH_PRIVILEGE;
r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2005-01-17 18:23:11 +03:00
}
r4746: add server support for lsa_enum_acct_rights(); last checkin for the night (This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2005-01-15 06:54:03 +03:00
privilege_set_free( &privileges );
Use pidl for _lsa_EnumAccountRights(). Guenther (This used to be commit cb6a84712cf91d104206356f0ac256a071868d66)
2008-02-14 17:02:31 +03:00
return status;
r4746: add server support for lsa_enum_acct_rights(); last checkin for the night (This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2005-01-15 06:54:03 +03:00
}
r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count ) * add some backwards compatibility to 'net rpc rights list' * verify privilege name in 'net rpc rights privileges <name>' in order to give back better error messages. (This used to be commit 0e29dc8aa384dfa6d2495beb8a9ffb5371e60a13)
2005-03-26 09:52:56 +03:00
/***************************************************************************
Use pidl for _lsa_LookupPrivValue(). Guenther (This used to be commit 87dc2471d1c2a5be17604399d4f684193a6bba38)
2008-02-14 15:25:42 +03:00
_lsa_LookupPrivValue
r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count ) * add some backwards compatibility to 'net rpc rights list' * verify privilege name in 'net rpc rights privileges <name>' in order to give back better error messages. (This used to be commit 0e29dc8aa384dfa6d2495beb8a9ffb5371e60a13)
2005-03-26 09:52:56 +03:00
***************************************************************************/
Use pidl for _lsa_LookupPrivValue(). Guenther (This used to be commit 87dc2471d1c2a5be17604399d4f684193a6bba38)
2008-02-14 15:25:42 +03:00
NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
struct lsa_LookupPrivValue *r)
r5726: merge LsaLookupPrivValue() code from trunk (This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2005-03-10 21:50:47 +03:00
{
struct lsa_info *info = NULL;
Use pidl for _lsa_LookupPrivValue(). Guenther (This used to be commit 87dc2471d1c2a5be17604399d4f684193a6bba38)
2008-02-14 15:25:42 +03:00
const char *name = NULL;
r5726: merge LsaLookupPrivValue() code from trunk (This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2005-03-10 21:50:47 +03:00
LUID_ATTR priv_luid;
SE_PRIV mask;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
r5726: merge LsaLookupPrivValue() code from trunk (This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2005-03-10 21:50:47 +03:00
/* find the connection policy handle. */
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Use pidl for _lsa_LookupPrivValue(). Guenther (This used to be commit 87dc2471d1c2a5be17604399d4f684193a6bba38)
2008-02-14 15:25:42 +03:00
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
r5726: merge LsaLookupPrivValue() code from trunk (This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2005-03-10 21:50:47 +03:00
return NT_STATUS_INVALID_HANDLE;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
Unify access checks for lsa server functions. Jeremy.
2008-10-18 02:24:15 +04:00
if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
Use pidl for _lsa_LookupPrivValue(). Guenther (This used to be commit 87dc2471d1c2a5be17604399d4f684193a6bba38)
2008-02-14 15:25:42 +03:00
name = r->in.name->string;
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
r7995: * privileges are local except when they're *not* printmig.exe assumes that the LUID of the SeBackupPrivlege on the target server matches the LUID of the privilege on the local client. Even though an LUID is never guaranteed to be the same across reboots. How *awful*! My cat could write better code! (more on my cat later....) * Set the privelege LUID in the global PRIVS[] array * Rename RegCreateKey() to RegCreateKeyEx() to better match MSDN * Rename the unknown field in RegCreateKeyEx() to disposition (guess according to MSDN) * Add the capability to define REG_TDB_ONLY for using the reg_db.c functions and stress the RegXXX() rpc functions. (This used to be commit 0d6352da4800aabc04dfd7c65a6afe6af7cd2d4b)
2005-06-29 20:35:32 +04:00
DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));
r5726: merge LsaLookupPrivValue() code from trunk (This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2005-03-10 21:50:47 +03:00
if ( !se_priv_from_name( name, &mask ) )
return NT_STATUS_NO_SUCH_PRIVILEGE;
priv_luid = get_privilege_luid( &mask );
Use pidl for _lsa_LookupPrivValue(). Guenther (This used to be commit 87dc2471d1c2a5be17604399d4f684193a6bba38)
2008-02-14 15:25:42 +03:00
r->out.luid->low = priv_luid.luid.low;
r->out.luid->high = priv_luid.luid.high;
r5726: merge LsaLookupPrivValue() code from trunk (This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2005-03-10 21:50:47 +03:00
return NT_STATUS_OK;
}
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
/*
* From here on the server routines are just dummy ones to make smbd link with
* librpc/gen_ndr/srv_lsa.c. These routines are actually never called, we are
* pulling the server stubs across one by one.
Remove white space. Guenther (This used to be commit a33ed085094b200e153939cb1b02e567f07b1e50)
2008-02-14 15:12:28 +03:00
*/
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_Delete(pipes_struct *p, struct lsa_Delete *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_SetSecObj(pipes_struct *p, struct lsa_SetSecObj *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_ChangePassword(pipes_struct *p, struct lsa_ChangePassword *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_SetInfoPolicy(pipes_struct *p, struct lsa_SetInfoPolicy *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_ClearAuditLog(pipes_struct *p, struct lsa_ClearAuditLog *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_GetQuotasForAccount(pipes_struct *p, struct lsa_GetQuotasForAccount *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_SetQuotasForAccount(pipes_struct *p, struct lsa_SetQuotasForAccount *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_QueryTrustedDomainInfo(pipes_struct *p, struct lsa_QueryTrustedDomainInfo *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_SetInformationTrustedDomain(pipes_struct *p, struct lsa_SetInformationTrustedDomain *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_QuerySecret(pipes_struct *p, struct lsa_QuerySecret *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_LookupPrivName(pipes_struct *p, struct lsa_LookupPrivName *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_EnumAccountsWithUserRight(pipes_struct *p, struct lsa_EnumAccountsWithUserRight *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_QueryTrustedDomainInfoBySid(pipes_struct *p, struct lsa_QueryTrustedDomainInfoBySid *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_SetTrustedDomainInfo(pipes_struct *p, struct lsa_SetTrustedDomainInfo *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_DeleteTrustedDomain(pipes_struct *p, struct lsa_DeleteTrustedDomain *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_StorePrivateData(pipes_struct *p, struct lsa_StorePrivateData *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_RetrievePrivateData(pipes_struct *p, struct lsa_RetrievePrivateData *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_QueryInfoPolicy2(pipes_struct *p, struct lsa_QueryInfoPolicy2 *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_SetInfoPolicy2(pipes_struct *p, struct lsa_SetInfoPolicy2 *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_QueryTrustedDomainInfoByName(pipes_struct *p, struct lsa_QueryTrustedDomainInfoByName *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_SetTrustedDomainInfoByName(pipes_struct *p, struct lsa_SetTrustedDomainInfoByName *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_EnumTrustedDomainsEx(pipes_struct *p, struct lsa_EnumTrustedDomainsEx *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CreateTrustedDomainEx(pipes_struct *p, struct lsa_CreateTrustedDomainEx *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CloseTrustedDomainEx(pipes_struct *p, struct lsa_CloseTrustedDomainEx *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_QueryDomainInformationPolicy(pipes_struct *p, struct lsa_QueryDomainInformationPolicy *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_SetDomainInformationPolicy(pipes_struct *p, struct lsa_SetDomainInformationPolicy *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_OpenTrustedDomainByName(pipes_struct *p, struct lsa_OpenTrustedDomainByName *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_TestCall(pipes_struct *p, struct lsa_TestCall *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CreateTrustedDomainEx2(pipes_struct *p, struct lsa_CreateTrustedDomainEx2 *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CREDRWRITE(pipes_struct *p, struct lsa_CREDRWRITE *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CREDRREAD(pipes_struct *p, struct lsa_CREDRREAD *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CREDRENUMERATE(pipes_struct *p, struct lsa_CREDRENUMERATE *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CREDRWRITEDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRWRITEDOMAINCREDENTIALS *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CREDRREADDOMAINCREDENTIALS(pipes_struct *p, struct lsa_CREDRREADDOMAINCREDENTIALS *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CREDRDELETE(pipes_struct *p, struct lsa_CREDRDELETE *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CREDRGETTARGETINFO(pipes_struct *p, struct lsa_CREDRGETTARGETINFO *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CREDRPROFILELOADED(pipes_struct *p, struct lsa_CREDRPROFILELOADED *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CREDRGETSESSIONTYPES(pipes_struct *p, struct lsa_CREDRGETSESSIONTYPES *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_LSARREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARREGISTERAUDITEVENT *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_LSARGENAUDITEVENT(pipes_struct *p, struct lsa_LSARGENAUDITEVENT *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_LSARUNREGISTERAUDITEVENT(pipes_struct *p, struct lsa_LSARUNREGISTERAUDITEVENT *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
Merge lsarpc.idl from samba4 and rerun make idl. Guenther (This used to be commit d9c8a2271d5d4ff845f1fe5986a2c63d79c41415)
2008-01-16 18:31:49 +03:00
NTSTATUS _lsa_lsaRQueryForestTrustInformation(pipes_struct *p, struct lsa_lsaRQueryForestTrustInformation *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_LSARSETFORESTTRUSTINFORMATION(pipes_struct *p, struct lsa_LSARSETFORESTTRUSTINFORMATION *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_CREDRRENAME(pipes_struct *p, struct lsa_CREDRRENAME *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_LSAROPENPOLICYSCE(pipes_struct *p, struct lsa_LSAROPENPOLICYSCE *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_LSARADTREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTREGISTERSECURITYEVENTSOURCE *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE(pipes_struct *p, struct lsa_LSARADTUNREGISTERSECURITYEVENTSOURCE *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
r20875: Pass DCE/RPC server call arguments as a struct rather than as separate arguments. This makes it a bit more similar to the Samba4 code. (This used to be commit 0596badb410a58e7a715e2b17bc0bef0489a2448)
2007-01-18 13:18:59 +03:00
NTSTATUS _lsa_LSARADTREPORTSECURITYEVENT(pipes_struct *p, struct lsa_LSARADTREPORTSECURITYEVENT *r)
r19224: Add setting the rng_fault_state to the already converted pipes. Convert the low-hanging fruit of the LSA server. This provides a sample how the server calls can be converted one by one, see the "proxy_lsa_call" function. Volker (This used to be commit 99e54a213ad3561ea6e8dc44c483847c18c5681e)
2006-10-10 12:39:11 +04:00
{
p->rng_fault_state = True;
return NT_STATUS_NOT_IMPLEMENTED;
}
Copy Permalink