search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
cleaned up the lsa_enum_acct_rights function and added a
[Samba.git] / source / rpcclient / cmd_lsarpc.c
blob991e56fece4f57e390c4c339b9a08a04d1dd1746
1 /*
2 Unix SMB/CIFS implementation.
3 RPC pipe client
4
5 Copyright (C) Tim Potter 2000
6 Copyright (C) Rafal Szczesniak 2002
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "rpcclient.h"
25
26
27 /* useful function to allow entering a name instead of a SID and
28 * looking it up automatically */
29 static NTSTATUS name_to_sid(struct cli_state *cli,
30 TALLOC_CTX *mem_ctx,
31 DOM_SID *sid, const char *name)
32 {
33 POLICY_HND pol;
34 uint32 *sid_types;
35 NTSTATUS result;
36 DOM_SID *sids;
37
38 /* maybe its a raw SID */
39 if (strncmp(name, "S-", 2) == 0 &&
40 string_to_sid(sid, name)) {
41 return NT_STATUS_OK;
42 }
43
44 result = cli_lsa_open_policy(cli, mem_ctx, True,
45 SEC_RIGHTS_MAXIMUM_ALLOWED,
46 &pol);
47 if (!NT_STATUS_IS_OK(result))
48 goto done;
49
50 result = cli_lsa_lookup_names(cli, mem_ctx, &pol, 1, &name, &sids, &sid_types);
51 if (!NT_STATUS_IS_OK(result))
52 goto done;
53
54 cli_lsa_close(cli, mem_ctx, &pol);
55
56 *sid = sids[0];
57
58 done:
59 return result;
60 }
61
62
63 /* Look up domain related information on a remote host */
64
65 static NTSTATUS cmd_lsa_query_info_policy(struct cli_state *cli,
66 TALLOC_CTX *mem_ctx, int argc,
67 char **argv)
68 {
69 POLICY_HND pol;
70 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
71 DOM_SID dom_sid;
72 GUID dom_guid;
73 fstring sid_str, domain_name="", dns_name="", forest_name="";
74 uint32 info_class = 3;
75
76 if (argc > 2) {
77 printf("Usage: %s [info_class]\n", argv[0]);
78 return NT_STATUS_OK;
79 }
80
81 if (argc == 2)
82 info_class = atoi(argv[1]);
83
84 /* Lookup info policy */
85 switch (info_class) {
86 case 12:
87 result = cli_lsa_open_policy2(cli, mem_ctx, True,
88 SEC_RIGHTS_MAXIMUM_ALLOWED,
89 &pol);
90
91 if (!NT_STATUS_IS_OK(result))
92 goto done;
93 result = cli_lsa_query_info_policy2(cli, mem_ctx, &pol,
94 info_class, domain_name,
95 dns_name, forest_name,
96 &dom_guid, &dom_sid);
97 break;
98 default:
99 result = cli_lsa_open_policy(cli, mem_ctx, True,
100 SEC_RIGHTS_MAXIMUM_ALLOWED,
101 &pol);
102
103 if (!NT_STATUS_IS_OK(result))
104 goto done;
105 result = cli_lsa_query_info_policy(cli, mem_ctx, &pol,
106 info_class, domain_name,
107 &dom_sid);
108 }
109
110 if (!NT_STATUS_IS_OK(result))
111 goto done;
112
113 sid_to_string(sid_str, &dom_sid);
114
115 if (domain_name[0])
116 printf("domain %s has sid %s\n", domain_name, sid_str);
117 else
118 printf("could not query info for level %d\n", info_class);
119
120 if (dns_name[0])
121 printf("domain dns name is %s\n", dns_name);
122 if (forest_name[0])
123 printf("forest name is %s\n", forest_name);
124
125 if (info_class == 12) {
126 printf("domain GUID is ");
127 print_guid(&dom_guid);
128 }
129 done:
130 return result;
131 }
132
133 /* Resolve a list of names to a list of sids */
134
135 static NTSTATUS cmd_lsa_lookup_names(struct cli_state *cli,
136 TALLOC_CTX *mem_ctx, int argc,
137 char **argv)
138 {
139 POLICY_HND pol;
140 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
141 DOM_SID *sids;
142 uint32 *types;
143 int i;
144
145 if (argc == 1) {
146 printf("Usage: %s [name1 [name2 [...]]]\n", argv[0]);
147 return NT_STATUS_OK;
148 }
149
150 result = cli_lsa_open_policy(cli, mem_ctx, True,
151 SEC_RIGHTS_MAXIMUM_ALLOWED,
152 &pol);
153
154 if (!NT_STATUS_IS_OK(result))
155 goto done;
156
157 result = cli_lsa_lookup_names(cli, mem_ctx, &pol, argc - 1,
158 (const char**)(argv + 1), &sids, &types);
159
160 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
161 NT_STATUS_V(STATUS_SOME_UNMAPPED))
162 goto done;
163
164 result = NT_STATUS_OK;
165
166 /* Print results */
167
168 for (i = 0; i < (argc - 1); i++) {
169 fstring sid_str;
170 sid_to_string(sid_str, &sids[i]);
171 printf("%s %s (%s: %d)\n", argv[i + 1], sid_str,
172 sid_type_lookup(types[i]), types[i]);
173 }
174
175 done:
176 return result;
177 }
178
179 /* Resolve a list of SIDs to a list of names */
180
181 static NTSTATUS cmd_lsa_lookup_sids(struct cli_state *cli, TALLOC_CTX *mem_ctx,
182 int argc, char **argv)
183 {
184 POLICY_HND pol;
185 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
186 DOM_SID *sids;
187 char **domains;
188 char **names;
189 uint32 *types;
190 int i;
191
192 if (argc == 1) {
193 printf("Usage: %s [sid1 [sid2 [...]]]\n", argv[0]);
194 return NT_STATUS_OK;
195 }
196
197 result = cli_lsa_open_policy(cli, mem_ctx, True,
198 SEC_RIGHTS_MAXIMUM_ALLOWED,
199 &pol);
200
201 if (!NT_STATUS_IS_OK(result))
202 goto done;
203
204 /* Convert arguments to sids */
205
206 sids = (DOM_SID *)talloc(mem_ctx, sizeof(DOM_SID) * (argc - 1));
207
208 if (!sids) {
209 printf("could not allocate memory for %d sids\n", argc - 1);
210 goto done;
211 }
212
213 for (i = 0; i < argc - 1; i++)
214 string_to_sid(&sids[i], argv[i + 1]);
215
216 /* Lookup the SIDs */
217
218 result = cli_lsa_lookup_sids(cli, mem_ctx, &pol, argc - 1, sids,
219 &domains, &names, &types);
220
221 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
222 NT_STATUS_V(STATUS_SOME_UNMAPPED))
223 goto done;
224
225 result = NT_STATUS_OK;
226
227 /* Print results */
228
229 for (i = 0; i < (argc - 1); i++) {
230 fstring sid_str;
231
232 sid_to_string(sid_str, &sids[i]);
233 printf("%s %s\\%s (%d)\n", sid_str,
234 domains[i] ? domains[i] : "*unknown*",
235 names[i] ? names[i] : "*unknown*", types[i]);
236 }
237
238 done:
239 return result;
240 }
241
242 /* Enumerate list of trusted domains */
243
244 static NTSTATUS cmd_lsa_enum_trust_dom(struct cli_state *cli,
245 TALLOC_CTX *mem_ctx, int argc,
246 char **argv)
247 {
248 POLICY_HND pol;
249 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
250 DOM_SID *domain_sids;
251 char **domain_names;
252
253 /* defaults, but may be changed using params */
254 uint32 enum_ctx = 0;
255 uint32 num_domains = 0;
256 int i;
257
258 if (argc > 2) {
259 printf("Usage: %s [enum context (0)]\n", argv[0]);
260 return NT_STATUS_OK;
261 }
262
263 if (argc == 2 && argv[1]) {
264 enum_ctx = atoi(argv[2]);
265 }
266
267 result = cli_lsa_open_policy(cli, mem_ctx, True,
268 POLICY_VIEW_LOCAL_INFORMATION,
269 &pol);
270
271 if (!NT_STATUS_IS_OK(result))
272 goto done;
273
274 /* Lookup list of trusted domains */
275
276 result = cli_lsa_enum_trust_dom(cli, mem_ctx, &pol, &enum_ctx,
277 &num_domains,
278 &domain_names, &domain_sids);
279 if (!NT_STATUS_IS_OK(result) &&
280 !NT_STATUS_EQUAL(result, NT_STATUS_NO_MORE_ENTRIES) &&
281 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
282 goto done;
283
284 /* Print results: list of names and sids returned in this response. */
285 for (i = 0; i < num_domains; i++) {
286 fstring sid_str;
287
288 sid_to_string(sid_str, &domain_sids[i]);
289 printf("%s %s\n", domain_names[i] ? domain_names[i] :
290 "*unknown*", sid_str);
291 }
292
293 done:
294 return result;
295 }
296
297 /* Enumerates privileges */
298
299 static NTSTATUS cmd_lsa_enum_privilege(struct cli_state *cli,
300 TALLOC_CTX *mem_ctx, int argc,
301 char **argv)
302 {
303 POLICY_HND pol;
304 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
305
306 uint32 enum_context=0;
307 uint32 pref_max_length=0x1000;
308 uint32 count=0;
309 char **privs_name;
310 uint32 *privs_high;
311 uint32 *privs_low;
312 int i;
313
314 if (argc > 3) {
315 printf("Usage: %s [enum context] [max length]\n", argv[0]);
316 return NT_STATUS_OK;
317 }
318
319 if (argc>=2)
320 enum_context=atoi(argv[1]);
321
322 if (argc==3)
323 pref_max_length=atoi(argv[2]);
324
325 result = cli_lsa_open_policy(cli, mem_ctx, True,
326 SEC_RIGHTS_MAXIMUM_ALLOWED,
327 &pol);
328
329 if (!NT_STATUS_IS_OK(result))
330 goto done;
331
332 result = cli_lsa_enum_privilege(cli, mem_ctx, &pol, &enum_context, pref_max_length,
333 &count, &privs_name, &privs_high, &privs_low);
334
335 if (!NT_STATUS_IS_OK(result))
336 goto done;
337
338 /* Print results */
339 printf("found %d privileges\n\n", count);
340
341 for (i = 0; i < count; i++) {
342 printf("%s \t\t%d:%d (0x%x:0x%x)\n", privs_name[i] ? privs_name[i] : "*unknown*",
343 privs_high[i], privs_low[i], privs_high[i], privs_low[i]);
344 }
345
346 done:
347 return result;
348 }
349
350 /* Get privilege name */
351
352 static NTSTATUS cmd_lsa_get_dispname(struct cli_state *cli,
353 TALLOC_CTX *mem_ctx, int argc,
354 char **argv)
355 {
356 POLICY_HND pol;
357 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
358
359 uint16 lang_id=0;
360 uint16 lang_id_sys=0;
361 uint16 lang_id_desc;
362 fstring description;
363
364 if (argc != 2) {
365 printf("Usage: %s privilege name\n", argv[0]);
366 return NT_STATUS_OK;
367 }
368
369 result = cli_lsa_open_policy(cli, mem_ctx, True,
370 SEC_RIGHTS_MAXIMUM_ALLOWED,
371 &pol);
372
373 if (!NT_STATUS_IS_OK(result))
374 goto done;
375
376 result = cli_lsa_get_dispname(cli, mem_ctx, &pol, argv[1], lang_id, lang_id_sys, description, &lang_id_desc);
377
378 if (!NT_STATUS_IS_OK(result))
379 goto done;
380
381 /* Print results */
382 printf("%s -> %s (language: 0x%x)\n", argv[1], description, lang_id_desc);
383
384 done:
385 return result;
386 }
387
388 /* Enumerate the LSA SIDS */
389
390 static NTSTATUS cmd_lsa_enum_sids(struct cli_state *cli,
391 TALLOC_CTX *mem_ctx, int argc,
392 char **argv)
393 {
394 POLICY_HND pol;
395 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
396
397 uint32 enum_context=0;
398 uint32 pref_max_length=0x1000;
399 DOM_SID *sids;
400 uint32 count=0;
401 int i;
402
403 if (argc > 3) {
404 printf("Usage: %s [enum context] [max length]\n", argv[0]);
405 return NT_STATUS_OK;
406 }
407
408 if (argc>=2)
409 enum_context=atoi(argv[1]);
410
411 if (argc==3)
412 pref_max_length=atoi(argv[2]);
413
414 result = cli_lsa_open_policy(cli, mem_ctx, True,
415 SEC_RIGHTS_MAXIMUM_ALLOWED,
416 &pol);
417
418 if (!NT_STATUS_IS_OK(result))
419 goto done;
420
421 result = cli_lsa_enum_sids(cli, mem_ctx, &pol, &enum_context, pref_max_length,
422 &count, &sids);
423
424 if (!NT_STATUS_IS_OK(result))
425 goto done;
426
427 /* Print results */
428 printf("found %d SIDs\n\n", count);
429
430 for (i = 0; i < count; i++) {
431 fstring sid_str;
432
433 sid_to_string(sid_str, &sids[i]);
434 printf("%s\n", sid_str);
435 }
436
437 done:
438 return result;
439 }
440
441 /* Enumerate the privileges of an SID */
442
443 static NTSTATUS cmd_lsa_enum_privsaccounts(struct cli_state *cli,
444 TALLOC_CTX *mem_ctx, int argc,
445 char **argv)
446 {
447 POLICY_HND dom_pol;
448 POLICY_HND user_pol;
449 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
450 uint32 access_desired = 0x000f000f;
451
452 DOM_SID sid;
453 uint32 count=0;
454 LUID_ATTR *set;
455 int i;
456
457 if (argc != 2 ) {
458 printf("Usage: %s SID\n", argv[0]);
459 return NT_STATUS_OK;
460 }
461
462 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
463 if (!NT_STATUS_IS_OK(result))
464 goto done;
465
466 result = cli_lsa_open_policy2(cli, mem_ctx, True,
467 SEC_RIGHTS_MAXIMUM_ALLOWED,
468 &dom_pol);
469
470 if (!NT_STATUS_IS_OK(result))
471 goto done;
472
473 result = cli_lsa_open_account(cli, mem_ctx, &dom_pol, &sid, access_desired, &user_pol);
474
475 if (!NT_STATUS_IS_OK(result))
476 goto done;
477
478 result = cli_lsa_enum_privsaccount(cli, mem_ctx, &user_pol, &count, &set);
479
480 if (!NT_STATUS_IS_OK(result))
481 goto done;
482
483 /* Print results */
484 printf("found %d privileges for SID %s\n\n", count, argv[1]);
485 printf("high\tlow\tattribute\n");
486
487 for (i = 0; i < count; i++) {
488 printf("%u\t%u\t%u\n", set[i].luid.high, set[i].luid.low, set[i].attr);
489 }
490
491 done:
492 return result;
493 }
494
495
496 /* Enumerate the privileges of an SID via LsaEnumerateAccountRights */
497
498 static NTSTATUS cmd_lsa_enum_acct_rights(struct cli_state *cli,
499 TALLOC_CTX *mem_ctx, int argc,
500 char **argv)
501 {
502 POLICY_HND dom_pol;
503 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
504
505 DOM_SID sid;
506 uint32 count;
507 char **rights;
508
509 int i;
510
511 if (argc != 2 ) {
512 printf("Usage: %s SID\n", argv[0]);
513 return NT_STATUS_OK;
514 }
515
516 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
517 if (!NT_STATUS_IS_OK(result))
518 goto done;
519
520 result = cli_lsa_open_policy2(cli, mem_ctx, True,
521 SEC_RIGHTS_MAXIMUM_ALLOWED,
522 &dom_pol);
523
524 if (!NT_STATUS_IS_OK(result))
525 goto done;
526
527 result = cli_lsa_enum_account_rights(cli, mem_ctx, &dom_pol, sid, &count, &rights);
528
529 if (!NT_STATUS_IS_OK(result))
530 goto done;
531
532 printf("found %d privileges for SID %s\n", count, sid_string_static(&sid));
533
534 for (i = 0; i < count; i++) {
535 printf("\t%s\n", rights[i]);
536 }
537
538 done:
539 return result;
540 }
541
542
543 /* add some privileges to a SID via LsaAddAccountRights */
544
545 static NTSTATUS cmd_lsa_add_acct_rights(struct cli_state *cli,
546 TALLOC_CTX *mem_ctx, int argc,
547 const char **argv)
548 {
549 POLICY_HND dom_pol;
550 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
551
552 DOM_SID sid;
553
554 if (argc < 3 ) {
555 printf("Usage: %s SID [rights...]\n", argv[0]);
556 return NT_STATUS_OK;
557 }
558
559 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
560 if (!NT_STATUS_IS_OK(result))
561 goto done;
562
563 result = cli_lsa_open_policy2(cli, mem_ctx, True,
564 SEC_RIGHTS_MAXIMUM_ALLOWED,
565 &dom_pol);
566
567 if (!NT_STATUS_IS_OK(result))
568 goto done;
569
570 result = cli_lsa_add_account_rights(cli, mem_ctx, &dom_pol, sid,
571 argc-2, argv+2);
572
573 if (!NT_STATUS_IS_OK(result))
574 goto done;
575
576 done:
577 return result;
578 }
579
580
581 /* Get a privilege value given its name */
582
583 static NTSTATUS cmd_lsa_lookupprivvalue(struct cli_state *cli,
584 TALLOC_CTX *mem_ctx, int argc,
585 char **argv)
586 {
587 POLICY_HND pol;
588 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
589 LUID luid;
590
591 if (argc != 2 ) {
592 printf("Usage: %s name\n", argv[0]);
593 return NT_STATUS_OK;
594 }
595
596 result = cli_lsa_open_policy2(cli, mem_ctx, True,
597 SEC_RIGHTS_MAXIMUM_ALLOWED,
598 &pol);
599
600 if (!NT_STATUS_IS_OK(result))
601 goto done;
602
603 result = cli_lsa_lookupprivvalue(cli, mem_ctx, &pol, argv[1], &luid);
604
605 if (!NT_STATUS_IS_OK(result))
606 goto done;
607
608 /* Print results */
609
610 printf("%u:%u (0x%x:0x%x)\n", luid.high, luid.low, luid.high, luid.low);
611
612 done:
613 return result;
614 }
615
616 /* Query LSA security object */
617
618 static NTSTATUS cmd_lsa_query_secobj(struct cli_state *cli,
619 TALLOC_CTX *mem_ctx, int argc,
620 char **argv)
621 {
622 POLICY_HND pol;
623 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
624 SEC_DESC_BUF *sdb;
625 uint32 sec_info = 0x00000004; /* ??? */
626
627 if (argc != 1 ) {
628 printf("Usage: %s\n", argv[0]);
629 return NT_STATUS_OK;
630 }
631
632 result = cli_lsa_open_policy2(cli, mem_ctx, True,
633 SEC_RIGHTS_MAXIMUM_ALLOWED,
634 &pol);
635
636 if (!NT_STATUS_IS_OK(result))
637 goto done;
638
639 result = cli_lsa_query_secobj(cli, mem_ctx, &pol, sec_info, &sdb);
640
641 if (!NT_STATUS_IS_OK(result))
642 goto done;
643
644 /* Print results */
645
646 display_sec_desc(sdb->sec);
647
648 done:
649 return result;
650 }
651
652
653 /* List of commands exported by this module */
654
655 struct cmd_set lsarpc_commands[] = {
656
657 { "LSARPC" },
658
659 { "lsaquery", cmd_lsa_query_info_policy, PI_LSARPC, "Query info policy", "" },
660 { "lookupsids", cmd_lsa_lookup_sids, PI_LSARPC, "Convert SIDs to names", "" },
661 { "lookupnames", cmd_lsa_lookup_names, PI_LSARPC, "Convert names to SIDs", "" },
662 { "enumtrust", cmd_lsa_enum_trust_dom, PI_LSARPC, "Enumerate trusted domains", "Usage: [preferred max number] [enum context (0)]" },
663 { "enumprivs", cmd_lsa_enum_privilege, PI_LSARPC, "Enumerate privileges", "" },
664 { "getdispname", cmd_lsa_get_dispname, PI_LSARPC, "Get the privilege name", "" },
665 { "lsaenumsid", cmd_lsa_enum_sids, PI_LSARPC, "Enumerate the LSA SIDS", "" },
666 { "lsaenumprivsaccount", cmd_lsa_enum_privsaccounts, PI_LSARPC, "Enumerate the privileges of an SID", "" },
667 { "lsaenumacctrights", cmd_lsa_enum_acct_rights, PI_LSARPC, "Enumerate the rights of an SID", "" },
668 { "lsaaddacctrights", cmd_lsa_add_acct_rights, PI_LSARPC, "Add rights to an account", "" },
669 { "lsalookupprivvalue", cmd_lsa_lookupprivvalue, PI_LSARPC, "Get a privilege value given its name", "" },
670 { "lsaquerysecobj", cmd_lsa_query_secobj, PI_LSARPC, "Query LSA security object", "" },
671
672 { NULL }
673 };
Samba GIT mirror