diff options
Diffstat (limited to 'source3/rpc_server')
-rw-r--r-- | source3/rpc_server/lsa/srv_lsa_nt.c | 81 |
1 files changed, 74 insertions, 7 deletions
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c index c0f6ecef40..2f0695c122 100644 --- a/source3/rpc_server/lsa/srv_lsa_nt.c +++ b/source3/rpc_server/lsa/srv_lsa_nt.c @@ -1426,6 +1426,80 @@ NTSTATUS _lsa_OpenTrustedDomain(struct pipes_struct *p, } /*************************************************************************** + _lsa_CreateTrustedDomainEx2 + ***************************************************************************/ + +NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p, + struct lsa_CreateTrustedDomainEx2 *r) +{ + struct lsa_info *policy; + NTSTATUS status; + uint32_t acc_granted; + struct security_descriptor *psd; + size_t sd_size; + + if (!IS_DC) { + return NT_STATUS_NOT_SUPPORTED; + } + + if (!find_policy_by_hnd(p, r->in.policy_handle, (void **)(void *)&policy)) { + return NT_STATUS_INVALID_HANDLE; + } + + if (!(policy->access & LSA_POLICY_TRUST_ADMIN)) { + return NT_STATUS_ACCESS_DENIED; + } + + if (p->server_info->utok.uid != sec_initial_uid() && + !nt_token_check_domain_rid(p->server_info->security_token, DOMAIN_RID_ADMINS)) { + return NT_STATUS_ACCESS_DENIED; + } + + /* Work out max allowed. */ + map_max_allowed_access(p->server_info->security_token, + &p->server_info->utok, + &r->in.access_mask); + + /* map the generic bits to the lsa policy ones */ + se_map_generic(&r->in.access_mask, &lsa_account_mapping); + + status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, + &lsa_trusted_domain_mapping, + NULL, 0); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = access_check_object(psd, p->server_info->security_token, + SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, + r->in.access_mask, &acc_granted, + "_lsa_CreateTrustedDomainEx2"); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + if (!pdb_set_trusteddom_pw(r->in.info->netbios_name.string, + generate_random_str(p->mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH), + r->in.info->sid)) { + return NT_STATUS_ACCESS_DENIED; + } + + status = create_lsa_policy_handle(p->mem_ctx, p, + LSA_HANDLE_TRUST_TYPE, + acc_granted, + r->in.info->sid, + r->in.info->netbios_name.string, + psd, + r->out.trustdom_handle); + if (!NT_STATUS_IS_OK(status)) { + pdb_del_trusteddom_pw(r->in.info->netbios_name.string); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + return NT_STATUS_OK; +} + +/*************************************************************************** ***************************************************************************/ NTSTATUS _lsa_CreateTrustedDomain(struct pipes_struct *p, @@ -2655,13 +2729,6 @@ NTSTATUS _lsa_TestCall(struct pipes_struct *p, struct lsa_TestCall *r) return NT_STATUS_NOT_IMPLEMENTED; } -NTSTATUS _lsa_CreateTrustedDomainEx2(struct pipes_struct *p, - struct lsa_CreateTrustedDomainEx2 *r) -{ - p->rng_fault_state = True; - return NT_STATUS_NOT_IMPLEMENTED; -} - NTSTATUS _lsa_CREDRWRITE(struct pipes_struct *p, struct lsa_CREDRWRITE *r) { p->rng_fault_state = True; |