2 Samba Unix/Linux SMB client library
3 Distributed SMB/CIFS Server Management Utility
4 Copyright (C) Gerald (Jerry) Carter 2004
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
21 #include "utils/net.h"
23 /********************************************************************
24 ********************************************************************/
26 static NTSTATUS
sid_to_name(struct cli_state
*cli
,
28 DOM_SID
*sid
, fstring name
)
33 char **domains
, **names
;
35 result
= cli_lsa_open_policy(cli
, mem_ctx
, True
,
36 SEC_RIGHTS_MAXIMUM_ALLOWED
, &pol
);
38 if ( !NT_STATUS_IS_OK(result
) )
41 result
= cli_lsa_lookup_sids(cli
, mem_ctx
, &pol
, 1, sid
, &domains
, &names
, &sid_types
);
43 if ( NT_STATUS_IS_OK(result
) ) {
45 fstr_sprintf( name
, "%s\\%s", domains
[0], names
[0] );
47 fstrcpy( name
, names
[0] );
50 cli_lsa_close(cli
, mem_ctx
, &pol
);
54 /********************************************************************
55 ********************************************************************/
57 static NTSTATUS
name_to_sid(struct cli_state
*cli
,
59 DOM_SID
*sid
, const char *name
)
66 /* maybe its a raw SID */
67 if ( strncmp(name
, "S-", 2) == 0 && string_to_sid(sid
, name
) )
72 result
= cli_lsa_open_policy(cli
, mem_ctx
, True
,
73 SEC_RIGHTS_MAXIMUM_ALLOWED
, &pol
);
75 if ( !NT_STATUS_IS_OK(result
) )
78 result
= cli_lsa_lookup_names(cli
, mem_ctx
, &pol
, 1, &name
, &sids
, &sid_types
);
80 if ( NT_STATUS_IS_OK(result
) )
81 sid_copy( sid
, &sids
[0] );
83 cli_lsa_close(cli
, mem_ctx
, &pol
);
87 /********************************************************************
88 ********************************************************************/
90 static NTSTATUS
enum_privileges( TALLOC_CTX
*ctx
, struct cli_state
*cli
,
94 uint32 enum_context
= 0;
95 uint32 pref_max_length
=0x1000;
102 uint16 lang_id_sys
=0;
106 result
= cli_lsa_enum_privilege(cli
, ctx
, pol
, &enum_context
,
107 pref_max_length
, &count
, &privs_name
, &privs_high
, &privs_low
);
109 if ( !NT_STATUS_IS_OK(result
) )
114 for (i
= 0; i
< count
; i
++) {
115 d_printf("%30s ", privs_name
[i
] ? privs_name
[i
] : "*unknown*" );
117 /* try to get the description */
119 if ( !NT_STATUS_IS_OK(cli_lsa_get_dispname(cli
, ctx
, pol
,
120 privs_name
[i
], lang_id
, lang_id_sys
, description
, &lang_id_desc
)) )
122 d_printf("??????\n");
126 d_printf("%s\n", description
);
133 /********************************************************************
134 ********************************************************************/
136 static NTSTATUS
enum_privileges_for_user( TALLOC_CTX
*ctx
, struct cli_state
*cli
,
137 POLICY_HND
*pol
, DOM_SID
*sid
)
144 result
= cli_lsa_enum_account_rights(cli
, ctx
, pol
, sid
, &count
, &rights
);
146 if (!NT_STATUS_IS_OK(result
))
150 d_printf("No privileges assigned\n");
152 for (i
= 0; i
< count
; i
++) {
153 printf("%s\n", rights
[i
]);
159 /********************************************************************
160 ********************************************************************/
162 static NTSTATUS
enum_privileges_for_accounts( TALLOC_CTX
*ctx
, struct cli_state
*cli
,
166 uint32 enum_context
=0;
167 uint32 pref_max_length
=0x1000;
173 result
= cli_lsa_enum_sids(cli
, ctx
, pol
, &enum_context
,
174 pref_max_length
, &count
, &sids
);
176 if (!NT_STATUS_IS_OK(result
))
179 for ( i
=0; i
<count
; i
++ ) {
181 /* try to convert the SID to a name. Fall back to
182 printing the raw SID if necessary */
184 result
= sid_to_name( cli
, ctx
, &sids
[i
], name
);
185 if ( !NT_STATUS_IS_OK (result
) )
186 fstrcpy( name
, sid_string_static(&sids
[i
]) );
188 d_printf("%s\n", name
);
190 result
= enum_privileges_for_user( ctx
, cli
, pol
, &sids
[i
] );
192 if ( !NT_STATUS_IS_OK(result
) )
201 /********************************************************************
202 ********************************************************************/
204 static NTSTATUS
rpc_rights_list_internal( const DOM_SID
*domain_sid
, const char *domain_name
,
205 struct cli_state
*cli
, TALLOC_CTX
*mem_ctx
,
206 int argc
, const char **argv
)
212 result
= cli_lsa_open_policy(cli
, mem_ctx
, True
,
213 SEC_RIGHTS_MAXIMUM_ALLOWED
, &pol
);
215 if ( !NT_STATUS_IS_OK(result
) )
220 result
= enum_privileges( mem_ctx
, cli
, &pol
);
224 /* special case to enuemrate all privileged SIDs
225 with associated rights */
227 if ( strequal( argv
[0], "accounts" ) ) {
228 result
= enum_privileges_for_accounts( mem_ctx
, cli
, &pol
);
232 result
= name_to_sid(cli
, mem_ctx
, &sid
, argv
[0]);
233 if (!NT_STATUS_IS_OK(result
))
235 result
= enum_privileges_for_user( mem_ctx
, cli
, &pol
, &sid
);
241 d_printf("Usage: net rpc rights list [name|SID]\n");
242 result
= NT_STATUS_OK
;
250 cli_lsa_close(cli
, mem_ctx
, &pol
);
255 /********************************************************************
256 ********************************************************************/
258 static NTSTATUS
rpc_rights_grant_internal( const DOM_SID
*domain_sid
, const char *domain_name
,
259 struct cli_state
*cli
, TALLOC_CTX
*mem_ctx
,
260 int argc
, const char **argv
)
263 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
268 d_printf("Usage: net rpc rights grant <name|SID> <rights...>\n");
272 result
= name_to_sid(cli
, mem_ctx
, &sid
, argv
[0]);
273 if (!NT_STATUS_IS_OK(result
))
276 result
= cli_lsa_open_policy2(cli
, mem_ctx
, True
,
277 SEC_RIGHTS_MAXIMUM_ALLOWED
,
280 if (!NT_STATUS_IS_OK(result
))
283 result
= cli_lsa_add_account_rights(cli
, mem_ctx
, &dom_pol
, sid
,
286 if (!NT_STATUS_IS_OK(result
))
289 d_printf("Successfully granted rights.\n");
292 if ( !NT_STATUS_IS_OK(result
) ) {
293 d_printf("Failed to grant privileges for %s (%s)\n",
294 argv
[0], nt_errstr(result
));
297 cli_lsa_close(cli
, mem_ctx
, &dom_pol
);
302 /********************************************************************
303 ********************************************************************/
305 static NTSTATUS
rpc_rights_revoke_internal( const DOM_SID
*domain_sid
, const char *domain_name
,
306 struct cli_state
*cli
, TALLOC_CTX
*mem_ctx
,
307 int argc
, const char **argv
)
310 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
315 d_printf("Usage: net rpc rights revoke <name|SID> <rights...>\n");
319 result
= name_to_sid(cli
, mem_ctx
, &sid
, argv
[0]);
320 if (!NT_STATUS_IS_OK(result
))
323 result
= cli_lsa_open_policy2(cli
, mem_ctx
, True
,
324 SEC_RIGHTS_MAXIMUM_ALLOWED
,
327 if (!NT_STATUS_IS_OK(result
))
330 result
= cli_lsa_remove_account_rights(cli
, mem_ctx
, &dom_pol
, sid
,
331 False
, argc
-1, argv
+1);
333 if (!NT_STATUS_IS_OK(result
))
336 d_printf("Successfully revoked rights.\n");
339 if ( !NT_STATUS_IS_OK(result
) ) {
340 d_printf("Failed to revoke privileges for %s (%s)",
341 argv
[0], nt_errstr(result
));
344 cli_lsa_close(cli
, mem_ctx
, &dom_pol
);
350 /********************************************************************
351 ********************************************************************/
353 static int rpc_rights_list( int argc
, const char **argv
)
355 return run_rpc_command( NULL
, PI_LSARPC
, 0,
356 rpc_rights_list_internal
, argc
, argv
);
359 /********************************************************************
360 ********************************************************************/
362 static int rpc_rights_grant( int argc
, const char **argv
)
364 return run_rpc_command( NULL
, PI_LSARPC
, 0,
365 rpc_rights_grant_internal
, argc
, argv
);
368 /********************************************************************
369 ********************************************************************/
371 static int rpc_rights_revoke( int argc
, const char **argv
)
373 return run_rpc_command( NULL
, PI_LSARPC
, 0,
374 rpc_rights_revoke_internal
, argc
, argv
);
377 /********************************************************************
378 ********************************************************************/
380 static int net_help_rights( int argc
, const char **argv
)
382 d_printf("net rpc rights list [accounts|username] View available or assigned privileges\n");
383 d_printf("net rpc rights grant <name|SID> <right> Assign privilege[s]\n");
384 d_printf("net rpc rights revoke <name|SID> <right> Revoke privilege[s]\n");
386 d_printf("\nBoth 'grant' and 'revoke' require a SID and a list of privilege names.\n");
387 d_printf("For example\n");
388 d_printf("\n net rpc grant 'VALE\\biddle' SePrintOperatorPrivilege SeDiskOperatorPrivlege\n");
389 d_printf("\nwould grant the printer admin and disk manager rights to the user 'VALE\\biddle'\n\n");
395 /********************************************************************
396 ********************************************************************/
398 int net_rpc_rights(int argc
, const char **argv
)
400 struct functable func
[] = {
401 {"list", rpc_rights_list
},
402 {"grant", rpc_rights_grant
},
403 {"revoke", rpc_rights_revoke
},
408 return net_run_function( argc
, argv
, func
, net_help_rights
);
410 return net_help_rights( argc
, argv
);