search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Rework of VFS is_offline() function to only return boolean offline/online result...
[Samba.git] / source3 / rpcclient / cmd_lsarpc.c
blob05269d771128ca3ecde403fa5bc634b48f1f78fb
1 /*
2 Unix SMB/CIFS implementation.
3 RPC pipe client
4
5 Copyright (C) Tim Potter 2000
6 Copyright (C) Rafal Szczesniak 2002
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "rpcclient.h"
24
25
26 /* useful function to allow entering a name instead of a SID and
27 * looking it up automatically */
28 static NTSTATUS name_to_sid(struct rpc_pipe_client *cli,
29 TALLOC_CTX *mem_ctx,
30 DOM_SID *sid, const char *name)
31 {
32 POLICY_HND pol;
33 enum lsa_SidType *sid_types;
34 NTSTATUS result;
35 DOM_SID *sids;
36
37 /* maybe its a raw SID */
38 if (strncmp(name, "S-", 2) == 0 &&
39 string_to_sid(sid, name)) {
40 return NT_STATUS_OK;
41 }
42
43 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
44 SEC_RIGHTS_MAXIMUM_ALLOWED,
45 &pol);
46 if (!NT_STATUS_IS_OK(result))
47 goto done;
48
49 result = rpccli_lsa_lookup_names(cli, mem_ctx, &pol, 1, &name, NULL, 1, &sids, &sid_types);
50 if (!NT_STATUS_IS_OK(result))
51 goto done;
52
53 rpccli_lsa_Close(cli, mem_ctx, &pol);
54
55 *sid = sids[0];
56
57 done:
58 return result;
59 }
60
61 static void display_query_info_1(DOM_QUERY_1 d)
62 {
63 d_printf("percent_full:\t%d\n", d.percent_full);
64 d_printf("log_size:\t%d\n", d.log_size);
65 d_printf("retention_time:\t%lld\n", (long long)d.retention_time);
66 d_printf("shutdown_in_progress:\t%d\n", d.shutdown_in_progress);
67 d_printf("time_to_shutdown:\t%lld\n", (long long)d.time_to_shutdown);
68 d_printf("next_audit_record:\t%d\n", d.next_audit_record);
69 d_printf("unknown:\t%d\n", d.unknown);
70 }
71
72 static void display_query_info_2(DOM_QUERY_2 d, TALLOC_CTX *mem_ctx)
73 {
74 int i;
75 d_printf("Auditing enabled:\t%d\n", d.auditing_enabled);
76 d_printf("Auditing categories:\t%d\n", d.count1);
77 d_printf("Auditsettings:\n");
78 for (i=0; i<d.count1; i++) {
79 const char *val = audit_policy_str(mem_ctx, d.auditsettings[i]);
80 const char *policy = audit_description_str(i);
81 d_printf("%s:\t%s\n", policy, val);
82 }
83 }
84
85 static void display_query_info_3(DOM_QUERY_3 d)
86 {
87 fstring name;
88
89 unistr2_to_ascii(name, &d.uni_domain_name, sizeof(name));
90
91 d_printf("Domain Name: %s\n", name);
92 d_printf("Domain Sid: %s\n", sid_string_tos(&d.dom_sid.sid));
93 }
94
95 static void display_query_info_5(DOM_QUERY_5 d)
96 {
97 fstring name;
98
99 unistr2_to_ascii(name, &d.uni_domain_name, sizeof(name));
100
101 d_printf("Domain Name: %s\n", name);
102 d_printf("Domain Sid: %s\n", sid_string_tos(&d.dom_sid.sid));
103 }
104
105 static void display_query_info_10(DOM_QUERY_10 d)
106 {
107 d_printf("Shutdown on full: %d\n", d.shutdown_on_full);
108 }
109
110 static void display_query_info_11(DOM_QUERY_11 d)
111 {
112 d_printf("Shutdown on full: %d\n", d.shutdown_on_full);
113 d_printf("Log is full: %d\n", d.log_is_full);
114 d_printf("Unknown: %d\n", d.unknown);
115 }
116
117 static void display_query_info_12(DOM_QUERY_12 d)
118 {
119 fstring dom_name, dns_dom_name, forest_name;
120
121 unistr2_to_ascii(dom_name, &d.uni_nb_dom_name, sizeof(dom_name));
122 unistr2_to_ascii(dns_dom_name, &d.uni_dns_dom_name, sizeof(dns_dom_name));
123 unistr2_to_ascii(forest_name, &d.uni_forest_name, sizeof(forest_name));
124
125 d_printf("Domain NetBios Name: %s\n", dom_name);
126 d_printf("Domain DNS Name: %s\n", dns_dom_name);
127 d_printf("Domain Forest Name: %s\n", forest_name);
128 d_printf("Domain Sid: %s\n", sid_string_tos(&d.dom_sid.sid));
129 d_printf("Domain GUID: %s\n", smb_uuid_string(talloc_tos(),
130 d.dom_guid));
131
132 }
133
134
135
136 static void display_lsa_query_info(LSA_INFO_CTR *dom, TALLOC_CTX *mem_ctx)
137 {
138 switch (dom->info_class) {
139 case 1:
140 display_query_info_1(dom->info.id1);
141 break;
142 case 2:
143 display_query_info_2(dom->info.id2, mem_ctx);
144 break;
145 case 3:
146 display_query_info_3(dom->info.id3);
147 break;
148 case 5:
149 display_query_info_5(dom->info.id5);
150 break;
151 case 10:
152 display_query_info_10(dom->info.id10);
153 break;
154 case 11:
155 display_query_info_11(dom->info.id11);
156 break;
157 case 12:
158 display_query_info_12(dom->info.id12);
159 break;
160 default:
161 printf("can't display info level: %d\n", dom->info_class);
162 break;
163 }
164 }
165
166 static NTSTATUS cmd_lsa_query_info_policy(struct rpc_pipe_client *cli,
167 TALLOC_CTX *mem_ctx, int argc,
168 const char **argv)
169 {
170 POLICY_HND pol;
171 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
172 LSA_INFO_CTR dom;
173
174 uint32 info_class = 3;
175
176 if (argc > 2) {
177 printf("Usage: %s [info_class]\n", argv[0]);
178 return NT_STATUS_OK;
179 }
180
181 if (argc == 2)
182 info_class = atoi(argv[1]);
183
184 switch (info_class) {
185 case 12:
186 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
187 SEC_RIGHTS_MAXIMUM_ALLOWED,
188 &pol);
189
190 if (!NT_STATUS_IS_OK(result))
191 goto done;
192
193 result = rpccli_lsa_query_info_policy2_new(cli, mem_ctx, &pol,
194 info_class, &dom);
195 break;
196 default:
197 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
198 SEC_RIGHTS_MAXIMUM_ALLOWED,
199 &pol);
200
201 if (!NT_STATUS_IS_OK(result))
202 goto done;
203
204 result = rpccli_lsa_query_info_policy_new(cli, mem_ctx, &pol,
205 info_class, &dom);
206 }
207
208
209 display_lsa_query_info(&dom, mem_ctx);
210
211 rpccli_lsa_Close(cli, mem_ctx, &pol);
212
213 done:
214 return result;
215 }
216
217 /* Resolve a list of names to a list of sids */
218
219 static NTSTATUS cmd_lsa_lookup_names(struct rpc_pipe_client *cli,
220 TALLOC_CTX *mem_ctx, int argc,
221 const char **argv)
222 {
223 POLICY_HND pol;
224 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
225 DOM_SID *sids;
226 enum lsa_SidType *types;
227 int i;
228
229 if (argc == 1) {
230 printf("Usage: %s [name1 [name2 [...]]]\n", argv[0]);
231 return NT_STATUS_OK;
232 }
233
234 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
235 SEC_RIGHTS_MAXIMUM_ALLOWED,
236 &pol);
237
238 if (!NT_STATUS_IS_OK(result))
239 goto done;
240
241 result = rpccli_lsa_lookup_names(cli, mem_ctx, &pol, argc - 1,
242 (const char**)(argv + 1), NULL, 1, &sids, &types);
243
244 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
245 NT_STATUS_V(STATUS_SOME_UNMAPPED))
246 goto done;
247
248 result = NT_STATUS_OK;
249
250 /* Print results */
251
252 for (i = 0; i < (argc - 1); i++) {
253 fstring sid_str;
254 sid_to_fstring(sid_str, &sids[i]);
255 printf("%s %s (%s: %d)\n", argv[i + 1], sid_str,
256 sid_type_lookup(types[i]), types[i]);
257 }
258
259 rpccli_lsa_Close(cli, mem_ctx, &pol);
260
261 done:
262 return result;
263 }
264
265 /* Resolve a list of names to a list of sids */
266
267 static NTSTATUS cmd_lsa_lookup_names_level(struct rpc_pipe_client *cli,
268 TALLOC_CTX *mem_ctx, int argc,
269 const char **argv)
270 {
271 POLICY_HND pol;
272 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
273 DOM_SID *sids;
274 enum lsa_SidType *types;
275 int i, level;
276
277 if (argc < 3) {
278 printf("Usage: %s [level] [name1 [name2 [...]]]\n", argv[0]);
279 return NT_STATUS_OK;
280 }
281
282 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
283 SEC_RIGHTS_MAXIMUM_ALLOWED,
284 &pol);
285
286 if (!NT_STATUS_IS_OK(result))
287 goto done;
288
289 level = atoi(argv[1]);
290
291 result = rpccli_lsa_lookup_names(cli, mem_ctx, &pol, argc - 2,
292 (const char**)(argv + 2), NULL, level, &sids, &types);
293
294 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
295 NT_STATUS_V(STATUS_SOME_UNMAPPED))
296 goto done;
297
298 result = NT_STATUS_OK;
299
300 /* Print results */
301
302 for (i = 0; i < (argc - 2); i++) {
303 fstring sid_str;
304 sid_to_fstring(sid_str, &sids[i]);
305 printf("%s %s (%s: %d)\n", argv[i + 2], sid_str,
306 sid_type_lookup(types[i]), types[i]);
307 }
308
309 rpccli_lsa_Close(cli, mem_ctx, &pol);
310
311 done:
312 return result;
313 }
314
315
316 /* Resolve a list of SIDs to a list of names */
317
318 static NTSTATUS cmd_lsa_lookup_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
319 int argc, const char **argv)
320 {
321 POLICY_HND pol;
322 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
323 DOM_SID *sids;
324 char **domains;
325 char **names;
326 enum lsa_SidType *types;
327 int i;
328
329 if (argc == 1) {
330 printf("Usage: %s [sid1 [sid2 [...]]]\n", argv[0]);
331 return NT_STATUS_OK;
332 }
333
334 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
335 SEC_RIGHTS_MAXIMUM_ALLOWED,
336 &pol);
337
338 if (!NT_STATUS_IS_OK(result))
339 goto done;
340
341 /* Convert arguments to sids */
342
343 sids = TALLOC_ARRAY(mem_ctx, DOM_SID, argc - 1);
344
345 if (!sids) {
346 printf("could not allocate memory for %d sids\n", argc - 1);
347 goto done;
348 }
349
350 for (i = 0; i < argc - 1; i++)
351 if (!string_to_sid(&sids[i], argv[i + 1])) {
352 result = NT_STATUS_INVALID_SID;
353 goto done;
354 }
355
356 /* Lookup the SIDs */
357
358 result = rpccli_lsa_lookup_sids(cli, mem_ctx, &pol, argc - 1, sids,
359 &domains, &names, &types);
360
361 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
362 NT_STATUS_V(STATUS_SOME_UNMAPPED))
363 goto done;
364
365 result = NT_STATUS_OK;
366
367 /* Print results */
368
369 for (i = 0; i < (argc - 1); i++) {
370 fstring sid_str;
371
372 sid_to_fstring(sid_str, &sids[i]);
373 printf("%s %s\\%s (%d)\n", sid_str,
374 domains[i] ? domains[i] : "*unknown*",
375 names[i] ? names[i] : "*unknown*", types[i]);
376 }
377
378 rpccli_lsa_Close(cli, mem_ctx, &pol);
379
380 done:
381 return result;
382 }
383
384 /* Enumerate list of trusted domains */
385
386 static NTSTATUS cmd_lsa_enum_trust_dom(struct rpc_pipe_client *cli,
387 TALLOC_CTX *mem_ctx, int argc,
388 const char **argv)
389 {
390 POLICY_HND pol;
391 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
392 DOM_SID *domain_sids;
393 char **domain_names;
394
395 /* defaults, but may be changed using params */
396 uint32 enum_ctx = 0;
397 uint32 num_domains = 0;
398 int i;
399
400 if (argc > 2) {
401 printf("Usage: %s [enum context (0)]\n", argv[0]);
402 return NT_STATUS_OK;
403 }
404
405 if (argc == 2 && argv[1]) {
406 enum_ctx = atoi(argv[2]);
407 }
408
409 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
410 POLICY_VIEW_LOCAL_INFORMATION,
411 &pol);
412
413 if (!NT_STATUS_IS_OK(result))
414 goto done;
415
416 result = STATUS_MORE_ENTRIES;
417
418 while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
419
420 /* Lookup list of trusted domains */
421
422 result = rpccli_lsa_enum_trust_dom(cli, mem_ctx, &pol, &enum_ctx,
423 &num_domains,
424 &domain_names, &domain_sids);
425 if (!NT_STATUS_IS_OK(result) &&
426 !NT_STATUS_EQUAL(result, NT_STATUS_NO_MORE_ENTRIES) &&
427 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
428 goto done;
429
430 /* Print results: list of names and sids returned in this
431 * response. */
432 for (i = 0; i < num_domains; i++) {
433 fstring sid_str;
434
435 sid_to_fstring(sid_str, &domain_sids[i]);
436 printf("%s %s\n", domain_names[i] ? domain_names[i] :
437 "*unknown*", sid_str);
438 }
439 }
440
441 rpccli_lsa_Close(cli, mem_ctx, &pol);
442 done:
443 return result;
444 }
445
446 /* Enumerates privileges */
447
448 static NTSTATUS cmd_lsa_enum_privilege(struct rpc_pipe_client *cli,
449 TALLOC_CTX *mem_ctx, int argc,
450 const char **argv)
451 {
452 POLICY_HND pol;
453 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
454
455 uint32 enum_context=0;
456 uint32 pref_max_length=0x1000;
457 uint32 count=0;
458 char **privs_name;
459 uint32 *privs_high;
460 uint32 *privs_low;
461 int i;
462
463 if (argc > 3) {
464 printf("Usage: %s [enum context] [max length]\n", argv[0]);
465 return NT_STATUS_OK;
466 }
467
468 if (argc>=2)
469 enum_context=atoi(argv[1]);
470
471 if (argc==3)
472 pref_max_length=atoi(argv[2]);
473
474 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
475 SEC_RIGHTS_MAXIMUM_ALLOWED,
476 &pol);
477
478 if (!NT_STATUS_IS_OK(result))
479 goto done;
480
481 result = rpccli_lsa_enum_privilege(cli, mem_ctx, &pol, &enum_context, pref_max_length,
482 &count, &privs_name, &privs_high, &privs_low);
483
484 if (!NT_STATUS_IS_OK(result))
485 goto done;
486
487 /* Print results */
488 printf("found %d privileges\n\n", count);
489
490 for (i = 0; i < count; i++) {
491 printf("%s \t\t%d:%d (0x%x:0x%x)\n", privs_name[i] ? privs_name[i] : "*unknown*",
492 privs_high[i], privs_low[i], privs_high[i], privs_low[i]);
493 }
494
495 rpccli_lsa_Close(cli, mem_ctx, &pol);
496 done:
497 return result;
498 }
499
500 /* Get privilege name */
501
502 static NTSTATUS cmd_lsa_get_dispname(struct rpc_pipe_client *cli,
503 TALLOC_CTX *mem_ctx, int argc,
504 const char **argv)
505 {
506 POLICY_HND pol;
507 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
508
509 uint16 lang_id=0;
510 uint16 lang_id_sys=0;
511 uint16 lang_id_desc;
512 fstring description;
513
514 if (argc != 2) {
515 printf("Usage: %s privilege name\n", argv[0]);
516 return NT_STATUS_OK;
517 }
518
519 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
520 SEC_RIGHTS_MAXIMUM_ALLOWED,
521 &pol);
522
523 if (!NT_STATUS_IS_OK(result))
524 goto done;
525
526 result = rpccli_lsa_get_dispname(cli, mem_ctx, &pol, argv[1], lang_id, lang_id_sys, description, &lang_id_desc);
527
528 if (!NT_STATUS_IS_OK(result))
529 goto done;
530
531 /* Print results */
532 printf("%s -> %s (language: 0x%x)\n", argv[1], description, lang_id_desc);
533
534 rpccli_lsa_Close(cli, mem_ctx, &pol);
535 done:
536 return result;
537 }
538
539 /* Enumerate the LSA SIDS */
540
541 static NTSTATUS cmd_lsa_enum_sids(struct rpc_pipe_client *cli,
542 TALLOC_CTX *mem_ctx, int argc,
543 const char **argv)
544 {
545 POLICY_HND pol;
546 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
547
548 uint32 enum_context=0;
549 uint32 pref_max_length=0x1000;
550 DOM_SID *sids;
551 uint32 count=0;
552 int i;
553
554 if (argc > 3) {
555 printf("Usage: %s [enum context] [max length]\n", argv[0]);
556 return NT_STATUS_OK;
557 }
558
559 if (argc>=2)
560 enum_context=atoi(argv[1]);
561
562 if (argc==3)
563 pref_max_length=atoi(argv[2]);
564
565 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
566 SEC_RIGHTS_MAXIMUM_ALLOWED,
567 &pol);
568
569 if (!NT_STATUS_IS_OK(result))
570 goto done;
571
572 result = rpccli_lsa_enum_sids(cli, mem_ctx, &pol, &enum_context, pref_max_length,
573 &count, &sids);
574
575 if (!NT_STATUS_IS_OK(result))
576 goto done;
577
578 /* Print results */
579 printf("found %d SIDs\n\n", count);
580
581 for (i = 0; i < count; i++) {
582 fstring sid_str;
583
584 sid_to_fstring(sid_str, &sids[i]);
585 printf("%s\n", sid_str);
586 }
587
588 rpccli_lsa_Close(cli, mem_ctx, &pol);
589 done:
590 return result;
591 }
592
593 /* Create a new account */
594
595 static NTSTATUS cmd_lsa_create_account(struct rpc_pipe_client *cli,
596 TALLOC_CTX *mem_ctx, int argc,
597 const char **argv)
598 {
599 POLICY_HND dom_pol;
600 POLICY_HND user_pol;
601 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
602 uint32 des_access = 0x000f000f;
603
604 DOM_SID sid;
605
606 if (argc != 2 ) {
607 printf("Usage: %s SID\n", argv[0]);
608 return NT_STATUS_OK;
609 }
610
611 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
612 if (!NT_STATUS_IS_OK(result))
613 goto done;
614
615 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
616 SEC_RIGHTS_MAXIMUM_ALLOWED,
617 &dom_pol);
618
619 if (!NT_STATUS_IS_OK(result))
620 goto done;
621
622 result = rpccli_lsa_create_account(cli, mem_ctx, &dom_pol, &sid, des_access, &user_pol);
623
624 if (!NT_STATUS_IS_OK(result))
625 goto done;
626
627 printf("Account for SID %s successfully created\n\n", argv[1]);
628 result = NT_STATUS_OK;
629
630 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
631 done:
632 return result;
633 }
634
635
636 /* Enumerate the privileges of an SID */
637
638 static NTSTATUS cmd_lsa_enum_privsaccounts(struct rpc_pipe_client *cli,
639 TALLOC_CTX *mem_ctx, int argc,
640 const char **argv)
641 {
642 POLICY_HND dom_pol;
643 POLICY_HND user_pol;
644 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
645 uint32 access_desired = 0x000f000f;
646
647 DOM_SID sid;
648 uint32 count=0;
649 LUID_ATTR *set;
650 int i;
651
652 if (argc != 2 ) {
653 printf("Usage: %s SID\n", argv[0]);
654 return NT_STATUS_OK;
655 }
656
657 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
658 if (!NT_STATUS_IS_OK(result))
659 goto done;
660
661 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
662 SEC_RIGHTS_MAXIMUM_ALLOWED,
663 &dom_pol);
664
665 if (!NT_STATUS_IS_OK(result))
666 goto done;
667
668 result = rpccli_lsa_open_account(cli, mem_ctx, &dom_pol, &sid, access_desired, &user_pol);
669
670 if (!NT_STATUS_IS_OK(result))
671 goto done;
672
673 result = rpccli_lsa_enum_privsaccount(cli, mem_ctx, &user_pol, &count, &set);
674
675 if (!NT_STATUS_IS_OK(result))
676 goto done;
677
678 /* Print results */
679 printf("found %d privileges for SID %s\n\n", count, argv[1]);
680 printf("high\tlow\tattribute\n");
681
682 for (i = 0; i < count; i++) {
683 printf("%u\t%u\t%u\n", set[i].luid.high, set[i].luid.low, set[i].attr);
684 }
685
686 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
687 done:
688 return result;
689 }
690
691
692 /* Enumerate the privileges of an SID via LsaEnumerateAccountRights */
693
694 static NTSTATUS cmd_lsa_enum_acct_rights(struct rpc_pipe_client *cli,
695 TALLOC_CTX *mem_ctx, int argc,
696 const char **argv)
697 {
698 POLICY_HND dom_pol;
699 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
700
701 DOM_SID sid;
702 uint32 count;
703 char **rights;
704
705 int i;
706
707 if (argc != 2 ) {
708 printf("Usage: %s SID\n", argv[0]);
709 return NT_STATUS_OK;
710 }
711
712 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
713 if (!NT_STATUS_IS_OK(result))
714 goto done;
715
716 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
717 SEC_RIGHTS_MAXIMUM_ALLOWED,
718 &dom_pol);
719
720 if (!NT_STATUS_IS_OK(result))
721 goto done;
722
723 result = rpccli_lsa_enum_account_rights(cli, mem_ctx, &dom_pol, &sid, &count, &rights);
724
725 if (!NT_STATUS_IS_OK(result))
726 goto done;
727
728 printf("found %d privileges for SID %s\n", count,
729 sid_string_tos(&sid));
730
731 for (i = 0; i < count; i++) {
732 printf("\t%s\n", rights[i]);
733 }
734
735 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
736 done:
737 return result;
738 }
739
740
741 /* add some privileges to a SID via LsaAddAccountRights */
742
743 static NTSTATUS cmd_lsa_add_acct_rights(struct rpc_pipe_client *cli,
744 TALLOC_CTX *mem_ctx, int argc,
745 const char **argv)
746 {
747 POLICY_HND dom_pol;
748 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
749
750 DOM_SID sid;
751
752 if (argc < 3 ) {
753 printf("Usage: %s SID [rights...]\n", argv[0]);
754 return NT_STATUS_OK;
755 }
756
757 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
758 if (!NT_STATUS_IS_OK(result))
759 goto done;
760
761 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
762 SEC_RIGHTS_MAXIMUM_ALLOWED,
763 &dom_pol);
764
765 if (!NT_STATUS_IS_OK(result))
766 goto done;
767
768 result = rpccli_lsa_add_account_rights(cli, mem_ctx, &dom_pol, sid,
769 argc-2, argv+2);
770
771 if (!NT_STATUS_IS_OK(result))
772 goto done;
773
774 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
775 done:
776 return result;
777 }
778
779
780 /* remove some privileges to a SID via LsaRemoveAccountRights */
781
782 static NTSTATUS cmd_lsa_remove_acct_rights(struct rpc_pipe_client *cli,
783 TALLOC_CTX *mem_ctx, int argc,
784 const char **argv)
785 {
786 POLICY_HND dom_pol;
787 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
788
789 DOM_SID sid;
790
791 if (argc < 3 ) {
792 printf("Usage: %s SID [rights...]\n", argv[0]);
793 return NT_STATUS_OK;
794 }
795
796 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
797 if (!NT_STATUS_IS_OK(result))
798 goto done;
799
800 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
801 SEC_RIGHTS_MAXIMUM_ALLOWED,
802 &dom_pol);
803
804 if (!NT_STATUS_IS_OK(result))
805 goto done;
806
807 result = rpccli_lsa_remove_account_rights(cli, mem_ctx, &dom_pol, sid,
808 False, argc-2, argv+2);
809
810 if (!NT_STATUS_IS_OK(result))
811 goto done;
812
813 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
814
815 done:
816 return result;
817 }
818
819
820 /* Get a privilege value given its name */
821
822 static NTSTATUS cmd_lsa_lookup_priv_value(struct rpc_pipe_client *cli,
823 TALLOC_CTX *mem_ctx, int argc,
824 const char **argv)
825 {
826 POLICY_HND pol;
827 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
828 LUID luid;
829
830 if (argc != 2 ) {
831 printf("Usage: %s name\n", argv[0]);
832 return NT_STATUS_OK;
833 }
834
835 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
836 SEC_RIGHTS_MAXIMUM_ALLOWED,
837 &pol);
838
839 if (!NT_STATUS_IS_OK(result))
840 goto done;
841
842 result = rpccli_lsa_lookup_priv_value(cli, mem_ctx, &pol, argv[1], &luid);
843
844 if (!NT_STATUS_IS_OK(result))
845 goto done;
846
847 /* Print results */
848
849 printf("%u:%u (0x%x:0x%x)\n", luid.high, luid.low, luid.high, luid.low);
850
851 rpccli_lsa_Close(cli, mem_ctx, &pol);
852 done:
853 return result;
854 }
855
856 /* Query LSA security object */
857
858 static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli,
859 TALLOC_CTX *mem_ctx, int argc,
860 const char **argv)
861 {
862 POLICY_HND pol;
863 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
864 SEC_DESC_BUF *sdb;
865 uint32 sec_info = DACL_SECURITY_INFORMATION;
866
867 if (argc < 1 || argc > 2) {
868 printf("Usage: %s [sec_info]\n", argv[0]);
869 return NT_STATUS_OK;
870 }
871
872 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
873 SEC_RIGHTS_MAXIMUM_ALLOWED,
874 &pol);
875
876 if (argc == 2)
877 sscanf(argv[1], "%x", &sec_info);
878
879 if (!NT_STATUS_IS_OK(result))
880 goto done;
881
882 result = rpccli_lsa_query_secobj(cli, mem_ctx, &pol, sec_info, &sdb);
883
884 if (!NT_STATUS_IS_OK(result))
885 goto done;
886
887 /* Print results */
888
889 display_sec_desc(sdb->sd);
890
891 rpccli_lsa_Close(cli, mem_ctx, &pol);
892 done:
893 return result;
894 }
895
896 static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p, const char *password)
897 {
898 char *pwd, *pwd_old;
899
900 DATA_BLOB data = data_blob(NULL, p->password->length);
901 DATA_BLOB data_old = data_blob(NULL, p->old_password->length);
902
903 memcpy(data.data, p->password->data, p->password->length);
904 memcpy(data_old.data, p->old_password->data, p->old_password->length);
905
906 pwd = decrypt_trustdom_secret(password, &data);
907 pwd_old = decrypt_trustdom_secret(password, &data_old);
908
909 d_printf("Password:\t%s\n", pwd);
910 d_printf("Old Password:\t%s\n", pwd_old);
911
912 SAFE_FREE(pwd);
913 SAFE_FREE(pwd_old);
914
915 data_blob_free(&data);
916 data_blob_free(&data_old);
917 }
918
919 static void display_trust_dom_info(TALLOC_CTX *mem_ctx,
920 union lsa_TrustedDomainInfo *info,
921 enum lsa_TrustDomInfoEnum info_class,
922 const char *pass)
923 {
924 switch (info_class) {
925 case LSA_TRUSTED_DOMAIN_INFO_PASSWORD:
926 display_trust_dom_info_4(&info->password, pass);
927 break;
928 default: {
929 const char *str = NULL;
930 str = NDR_PRINT_UNION_STRING(mem_ctx,
931 lsa_TrustedDomainInfo,
932 info_class, info);
933 if (str) {
934 d_printf("%s\n", str);
935 }
936 break;
937 }
938 }
939 }
940
941 static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli,
942 TALLOC_CTX *mem_ctx, int argc,
943 const char **argv)
944 {
945 POLICY_HND pol;
946 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
947 DOM_SID dom_sid;
948 uint32 access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
949 union lsa_TrustedDomainInfo info;
950 enum lsa_TrustDomInfoEnum info_class = 1;
951
952 if (argc > 3 || argc < 2) {
953 printf("Usage: %s [sid] [info_class]\n", argv[0]);
954 return NT_STATUS_OK;
955 }
956
957 if (!string_to_sid(&dom_sid, argv[1]))
958 return NT_STATUS_NO_MEMORY;
959
960 if (argc == 3)
961 info_class = atoi(argv[2]);
962
963 result = rpccli_lsa_open_policy2(cli, mem_ctx, True, access_mask, &pol);
964
965 if (!NT_STATUS_IS_OK(result))
966 goto done;
967
968 result = rpccli_lsa_QueryTrustedDomainInfoBySid(cli, mem_ctx,
969 &pol,
970 &dom_sid,
971 info_class,
972 &info);
973 if (!NT_STATUS_IS_OK(result))
974 goto done;
975
976 display_trust_dom_info(mem_ctx, &info, info_class, cli->pwd.password);
977
978 done:
979 if (&pol)
980 rpccli_lsa_Close(cli, mem_ctx, &pol);
981
982 return result;
983 }
984
985 static void init_lsa_String(struct lsa_String *name, const char *s)
986 {
987 name->string = s;
988 }
989
990 static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli,
991 TALLOC_CTX *mem_ctx, int argc,
992 const char **argv)
993 {
994 POLICY_HND pol;
995 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
996 uint32 access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
997 union lsa_TrustedDomainInfo info;
998 enum lsa_TrustDomInfoEnum info_class = 1;
999 struct lsa_String trusted_domain;
1000
1001 if (argc > 3 || argc < 2) {
1002 printf("Usage: %s [name] [info_class]\n", argv[0]);
1003 return NT_STATUS_OK;
1004 }
1005
1006 if (argc == 3)
1007 info_class = atoi(argv[2]);
1008
1009 result = rpccli_lsa_open_policy2(cli, mem_ctx, True, access_mask, &pol);
1010
1011 if (!NT_STATUS_IS_OK(result))
1012 goto done;
1013
1014 init_lsa_String(&trusted_domain, argv[1]);
1015
1016 result = rpccli_lsa_QueryTrustedDomainInfoByName(cli, mem_ctx,
1017 &pol,
1018 trusted_domain,
1019 info_class,
1020 &info);
1021 if (!NT_STATUS_IS_OK(result))
1022 goto done;
1023
1024 display_trust_dom_info(mem_ctx, &info, info_class, cli->pwd.password);
1025
1026 done:
1027 if (&pol)
1028 rpccli_lsa_Close(cli, mem_ctx, &pol);
1029
1030 return result;
1031 }
1032
1033 static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli,
1034 TALLOC_CTX *mem_ctx, int argc,
1035 const char **argv)
1036 {
1037 POLICY_HND pol, trustdom_pol;
1038 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1039 uint32 access_mask = SEC_RIGHTS_MAXIMUM_ALLOWED;
1040 union lsa_TrustedDomainInfo info;
1041 DOM_SID dom_sid;
1042 enum lsa_TrustDomInfoEnum info_class = 1;
1043
1044 if (argc > 3 || argc < 2) {
1045 printf("Usage: %s [sid] [info_class]\n", argv[0]);
1046 return NT_STATUS_OK;
1047 }
1048
1049 if (!string_to_sid(&dom_sid, argv[1]))
1050 return NT_STATUS_NO_MEMORY;
1051
1052
1053 if (argc == 3)
1054 info_class = atoi(argv[2]);
1055
1056 result = rpccli_lsa_open_policy2(cli, mem_ctx, True, access_mask, &pol);
1057
1058 if (!NT_STATUS_IS_OK(result))
1059 goto done;
1060
1061 result = rpccli_lsa_OpenTrustedDomain(cli, mem_ctx,
1062 &pol,
1063 &dom_sid,
1064 access_mask,
1065 &trustdom_pol);
1066
1067 if (!NT_STATUS_IS_OK(result))
1068 goto done;
1069
1070 result = rpccli_lsa_QueryTrustedDomainInfo(cli, mem_ctx,
1071 &trustdom_pol,
1072 info_class,
1073 &info);
1074
1075 if (!NT_STATUS_IS_OK(result))
1076 goto done;
1077
1078 display_trust_dom_info(mem_ctx, &info, info_class, cli->pwd.password);
1079
1080 done:
1081 if (&pol)
1082 rpccli_lsa_Close(cli, mem_ctx, &pol);
1083
1084 return result;
1085 }
1086
1087
1088
1089 /* List of commands exported by this module */
1090
1091 struct cmd_set lsarpc_commands[] = {
1092
1093 { "LSARPC" },
1094
1095 { "lsaquery", RPC_RTYPE_NTSTATUS, cmd_lsa_query_info_policy, NULL, PI_LSARPC, NULL, "Query info policy", "" },
1096 { "lookupsids", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_sids, NULL, PI_LSARPC, NULL, "Convert SIDs to names", "" },
1097 { "lookupnames", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_names, NULL, PI_LSARPC, NULL, "Convert names to SIDs", "" },
1098 { "lookupnames_level", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_names_level, NULL, PI_LSARPC, NULL, "Convert names to SIDs", "" },
1099 { "enumtrust", RPC_RTYPE_NTSTATUS, cmd_lsa_enum_trust_dom, NULL, PI_LSARPC, NULL, "Enumerate trusted domains", "Usage: [preferred max number] [enum context (0)]" },
1100 { "enumprivs", RPC_RTYPE_NTSTATUS, cmd_lsa_enum_privilege, NULL, PI_LSARPC, NULL, "Enumerate privileges", "" },
1101 { "getdispname", RPC_RTYPE_NTSTATUS, cmd_lsa_get_dispname, NULL, PI_LSARPC, NULL, "Get the privilege name", "" },
1102 { "lsaenumsid", RPC_RTYPE_NTSTATUS, cmd_lsa_enum_sids, NULL, PI_LSARPC, NULL, "Enumerate the LSA SIDS", "" },
1103 { "lsacreateaccount", RPC_RTYPE_NTSTATUS, cmd_lsa_create_account, NULL, PI_LSARPC, NULL, "Create a new lsa account", "" },
1104 { "lsaenumprivsaccount", RPC_RTYPE_NTSTATUS, cmd_lsa_enum_privsaccounts, NULL, PI_LSARPC, NULL, "Enumerate the privileges of an SID", "" },
1105 { "lsaenumacctrights", RPC_RTYPE_NTSTATUS, cmd_lsa_enum_acct_rights, NULL, PI_LSARPC, NULL, "Enumerate the rights of an SID", "" },
1106 #if 0
1107 { "lsaaddpriv", RPC_RTYPE_NTSTATUS, cmd_lsa_add_priv, NULL, PI_LSARPC, "Assign a privilege to a SID", "" },
1108 { "lsadelpriv", RPC_RTYPE_NTSTATUS, cmd_lsa_del_priv, NULL, PI_LSARPC, "Revoke a privilege from a SID", "" },
1109 #endif
1110 { "lsaaddacctrights", RPC_RTYPE_NTSTATUS, cmd_lsa_add_acct_rights, NULL, PI_LSARPC, NULL, "Add rights to an account", "" },
1111 { "lsaremoveacctrights", RPC_RTYPE_NTSTATUS, cmd_lsa_remove_acct_rights, NULL, PI_LSARPC, NULL, "Remove rights from an account", "" },
1112 { "lsalookupprivvalue", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_priv_value, NULL, PI_LSARPC, NULL, "Get a privilege value given its name", "" },
1113 { "lsaquerysecobj", RPC_RTYPE_NTSTATUS, cmd_lsa_query_secobj, NULL, PI_LSARPC, NULL, "Query LSA security object", "" },
1114 { "lsaquerytrustdominfo",RPC_RTYPE_NTSTATUS, cmd_lsa_query_trustdominfo, NULL, PI_LSARPC, NULL, "Query LSA trusted domains info (given a SID)", "" },
1115 { "lsaquerytrustdominfobyname",RPC_RTYPE_NTSTATUS, cmd_lsa_query_trustdominfobyname, NULL, PI_LSARPC, NULL, "Query LSA trusted domains info (given a name), only works for Windows > 2k", "" },
1116 { "lsaquerytrustdominfobysid",RPC_RTYPE_NTSTATUS, cmd_lsa_query_trustdominfobysid, NULL, PI_LSARPC, NULL, "Query LSA trusted domains info (given a SID)", "" },
1117
1118 { NULL }
1119 };
1120
Samba GIT mirror