2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
8 Copyright (C) Michael Adam 2007.
9 Copyright (C) Guenther Deschner 2008.
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 /** @defgroup lsa LSA - Local Security Architecture
36 * RPC client routines for the LSA RPC pipe. LSA means "local
37 * security authority", which is half of a password database.
40 /** Open a LSA policy handle
42 * @param cli Handle on an initialised SMB connection */
44 NTSTATUS
rpccli_lsa_open_policy(struct rpc_pipe_client
*cli
,
46 bool sec_qos
, uint32 des_access
,
49 struct lsa_ObjectAttribute attr
;
50 struct lsa_QosInfo qos
;
51 uint16_t system_name
= '\\';
54 init_lsa_sec_qos(&qos
, 0xc, 2, 1, 0);
55 init_lsa_obj_attr(&attr
,
63 init_lsa_obj_attr(&attr
,
72 return rpccli_lsa_OpenPolicy(cli
, mem_ctx
,
79 /** Open a LSA policy handle
81 * @param cli Handle on an initialised SMB connection
84 NTSTATUS
rpccli_lsa_open_policy2(struct rpc_pipe_client
*cli
,
85 TALLOC_CTX
*mem_ctx
, bool sec_qos
,
86 uint32 des_access
, POLICY_HND
*pol
)
88 struct lsa_ObjectAttribute attr
;
89 struct lsa_QosInfo qos
;
92 init_lsa_sec_qos(&qos
, 0xc, 2, 1, 0);
93 init_lsa_obj_attr(&attr
,
101 init_lsa_obj_attr(&attr
,
110 return rpccli_lsa_OpenPolicy2(cli
, mem_ctx
,
111 cli
->cli
->srv_name_slash
,
117 /* Lookup a list of sids
119 * internal version withOUT memory allocation of the target arrays.
120 * this assumes suffciently sized arrays to store domains, names and types. */
122 static NTSTATUS
rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client
*cli
,
129 enum lsa_SidType
*types
)
131 NTSTATUS result
= NT_STATUS_OK
;
132 TALLOC_CTX
*tmp_ctx
= NULL
;
134 struct lsa_SidArray sid_array
;
135 struct lsa_RefDomainList
*ref_domains
= NULL
;
136 struct lsa_TransNameArray lsa_names
;
140 ZERO_STRUCT(lsa_names
);
142 tmp_ctx
= talloc_new(mem_ctx
);
144 DEBUG(0, ("rpccli_lsa_lookup_sids_noalloc: out of memory!\n"));
145 result
= NT_STATUS_UNSUCCESSFUL
;
149 sid_array
.num_sids
= num_sids
;
150 sid_array
.sids
= TALLOC_ARRAY(mem_ctx
, struct lsa_SidPtr
, num_sids
);
151 if (!sid_array
.sids
) {
152 return NT_STATUS_NO_MEMORY
;
155 for (i
= 0; i
<num_sids
; i
++) {
156 sid_array
.sids
[i
].sid
= sid_dup_talloc(mem_ctx
, &sids
[i
]);
157 if (!sid_array
.sids
[i
].sid
) {
158 return NT_STATUS_NO_MEMORY
;
162 result
= rpccli_lsa_LookupSids(cli
, mem_ctx
,
170 DEBUG(10, ("LSA_LOOKUPSIDS returned '%s', mapped count = %d'\n",
171 nt_errstr(result
), count
));
173 if (!NT_STATUS_IS_OK(result
) &&
174 !NT_STATUS_EQUAL(result
, NT_STATUS_NONE_MAPPED
) &&
175 !NT_STATUS_EQUAL(result
, STATUS_SOME_UNMAPPED
))
177 /* An actual error occured */
181 /* Return output parameters */
183 if (NT_STATUS_EQUAL(result
, NT_STATUS_NONE_MAPPED
) ||
186 for (i
= 0; i
< num_sids
; i
++) {
189 (types
)[i
] = SID_NAME_UNKNOWN
;
191 result
= NT_STATUS_NONE_MAPPED
;
195 for (i
= 0; i
< num_sids
; i
++) {
196 const char *name
, *dom_name
;
197 uint32_t dom_idx
= lsa_names
.names
[i
].sid_index
;
199 /* Translate optimised name through domain index array */
201 if (dom_idx
!= 0xffffffff) {
203 dom_name
= ref_domains
->domains
[dom_idx
].name
.string
;
204 name
= lsa_names
.names
[i
].name
.string
;
207 (names
)[i
] = talloc_strdup(mem_ctx
, name
);
208 if ((names
)[i
] == NULL
) {
209 DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
210 result
= NT_STATUS_UNSUCCESSFUL
;
216 (domains
)[i
] = talloc_strdup(mem_ctx
, dom_name
);
217 (types
)[i
] = lsa_names
.names
[i
].sid_type
;
218 if (((domains
)[i
] == NULL
)) {
219 DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
220 result
= NT_STATUS_UNSUCCESSFUL
;
227 (types
)[i
] = SID_NAME_UNKNOWN
;
232 TALLOC_FREE(tmp_ctx
);
236 /* Lookup a list of sids
238 * do it the right way: there is a limit (of 20480 for w2k3) entries
239 * returned by this call. when the sids list contains more entries,
240 * empty lists are returned. This version of lsa_lookup_sids passes
241 * the list of sids in hunks of LOOKUP_SIDS_HUNK_SIZE to the lsa call. */
243 /* This constant defines the limit of how many sids to look up
244 * in one call (maximum). the limit from the server side is
245 * at 20480 for win2k3, but we keep it at a save 1000 for now. */
246 #define LOOKUP_SIDS_HUNK_SIZE 1000
248 NTSTATUS
rpccli_lsa_lookup_sids(struct rpc_pipe_client
*cli
,
255 enum lsa_SidType
**ptypes
)
257 NTSTATUS result
= NT_STATUS_OK
;
259 int sids_processed
= 0;
260 const DOM_SID
*hunk_sids
= sids
;
263 enum lsa_SidType
*hunk_types
;
264 char **domains
= NULL
;
266 enum lsa_SidType
*types
= NULL
;
269 if (!(domains
= TALLOC_ARRAY(mem_ctx
, char *, num_sids
))) {
270 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
271 result
= NT_STATUS_NO_MEMORY
;
275 if (!(names
= TALLOC_ARRAY(mem_ctx
, char *, num_sids
))) {
276 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
277 result
= NT_STATUS_NO_MEMORY
;
281 if (!(types
= TALLOC_ARRAY(mem_ctx
, enum lsa_SidType
, num_sids
))) {
282 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
283 result
= NT_STATUS_NO_MEMORY
;
288 sids_left
= num_sids
;
289 hunk_domains
= domains
;
293 while (sids_left
> 0) {
295 NTSTATUS hunk_result
= NT_STATUS_OK
;
297 hunk_num_sids
= ((sids_left
> LOOKUP_SIDS_HUNK_SIZE
)
298 ? LOOKUP_SIDS_HUNK_SIZE
301 DEBUG(10, ("rpccli_lsa_lookup_sids: processing items "
304 sids_processed
+ hunk_num_sids
- 1,
307 hunk_result
= rpccli_lsa_lookup_sids_noalloc(cli
,
316 if (!NT_STATUS_IS_OK(hunk_result
) &&
317 !NT_STATUS_EQUAL(hunk_result
, STATUS_SOME_UNMAPPED
) &&
318 !NT_STATUS_EQUAL(hunk_result
, NT_STATUS_NONE_MAPPED
))
320 /* An actual error occured */
321 result
= hunk_result
;
325 /* adapt overall result */
326 if (( NT_STATUS_IS_OK(result
) &&
327 !NT_STATUS_IS_OK(hunk_result
))
329 ( NT_STATUS_EQUAL(result
, NT_STATUS_NONE_MAPPED
) &&
330 !NT_STATUS_EQUAL(hunk_result
, NT_STATUS_NONE_MAPPED
)))
332 result
= STATUS_SOME_UNMAPPED
;
335 sids_left
-= hunk_num_sids
;
336 sids_processed
+= hunk_num_sids
; /* only used in DEBUG */
337 hunk_sids
+= hunk_num_sids
;
338 hunk_domains
+= hunk_num_sids
;
339 hunk_names
+= hunk_num_sids
;
340 hunk_types
+= hunk_num_sids
;
349 TALLOC_FREE(domains
);
355 /** Lookup a list of names */
357 NTSTATUS
rpccli_lsa_lookup_names(struct rpc_pipe_client
*cli
,
359 POLICY_HND
*pol
, int num_names
,
361 const char ***dom_names
,
364 enum lsa_SidType
**types
)
368 struct lsa_String
*lsa_names
= NULL
;
369 struct lsa_RefDomainList
*domains
= NULL
;
370 struct lsa_TransSidArray sid_array
;
373 ZERO_STRUCT(sid_array
);
375 lsa_names
= TALLOC_ARRAY(mem_ctx
, struct lsa_String
, num_names
);
377 return NT_STATUS_NO_MEMORY
;
380 for (i
=0; i
<num_names
; i
++) {
381 init_lsa_String(&lsa_names
[i
], names
[i
]);
384 result
= rpccli_lsa_LookupNames(cli
, mem_ctx
,
393 if (!NT_STATUS_IS_OK(result
) && NT_STATUS_V(result
) !=
394 NT_STATUS_V(STATUS_SOME_UNMAPPED
)) {
396 /* An actual error occured */
401 /* Return output parameters */
404 result
= NT_STATUS_NONE_MAPPED
;
409 if (!((*sids
= TALLOC_ARRAY(mem_ctx
, DOM_SID
, num_names
)))) {
410 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
411 result
= NT_STATUS_NO_MEMORY
;
415 if (!((*types
= TALLOC_ARRAY(mem_ctx
, enum lsa_SidType
, num_names
)))) {
416 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
417 result
= NT_STATUS_NO_MEMORY
;
421 if (dom_names
!= NULL
) {
422 *dom_names
= TALLOC_ARRAY(mem_ctx
, const char *, num_names
);
423 if (*dom_names
== NULL
) {
424 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
425 result
= NT_STATUS_NO_MEMORY
;
432 if (dom_names
!= NULL
) {
437 for (i
= 0; i
< num_names
; i
++) {
438 uint32_t dom_idx
= sid_array
.sids
[i
].sid_index
;
439 uint32_t dom_rid
= sid_array
.sids
[i
].rid
;
440 DOM_SID
*sid
= &(*sids
)[i
];
442 /* Translate optimised sid through domain index array */
444 if (dom_idx
== 0xffffffff) {
445 /* Nothing to do, this is unknown */
447 (*types
)[i
] = SID_NAME_UNKNOWN
;
451 sid_copy(sid
, domains
->domains
[dom_idx
].sid
);
453 if (dom_rid
!= 0xffffffff) {
454 sid_append_rid(sid
, dom_rid
);
457 (*types
)[i
] = sid_array
.sids
[i
].sid_type
;
459 if (dom_names
== NULL
) {
463 (*dom_names
)[i
] = domains
->domains
[dom_idx
].name
.string
;
473 /** An example of how to use the routines in this file. Fetch a DOMAIN
474 sid. Does complete cli setup / teardown anonymously. */
476 bool fetch_domain_sid( char *domain
, char *remote_machine
, DOM_SID
*psid
)
478 struct cli_state cli
;
484 if(cli_initialise(&cli
) == False
) {
485 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
489 if(!resolve_name( remote_machine
, &cli
.dest_ip
, 0x20)) {
490 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine
));
494 if (!cli_connect(&cli
, remote_machine
, &cli
.dest_ip
)) {
495 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
496 machine %s. Error was : %s.\n", remote_machine
, cli_errstr(&cli
) ));
500 if (!attempt_netbios_session_request(&cli
, global_myname(), remote_machine
, &cli
.dest_ip
)) {
501 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
506 cli
.protocol
= PROTOCOL_NT1
;
508 if (!cli_negprot(&cli
)) {
509 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
510 Error was : %s.\n", remote_machine
, cli_errstr(&cli
) ));
514 if (cli
.protocol
!= PROTOCOL_NT1
) {
515 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
521 * Do an anonymous session setup.
524 if (!cli_session_setup(&cli
, "", "", 0, "", 0, "")) {
525 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
526 Error was : %s.\n", remote_machine
, cli_errstr(&cli
) ));
530 if (!(cli
.sec_mode
& NEGOTIATE_SECURITY_USER_LEVEL
)) {
531 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
536 if (!cli_send_tconX(&cli
, "IPC$", "IPC", "", 1)) {
537 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
538 Error was : %s.\n", remote_machine
, cli_errstr(&cli
) ));
542 /* Fetch domain sid */
544 if (!cli_nt_session_open(&cli
, PI_LSARPC
)) {
545 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
549 result
= cli_lsa_open_policy(&cli
, cli
.mem_ctx
, True
, SEC_RIGHTS_QUERY_VALUE
, &lsa_pol
);
550 if (!NT_STATUS_IS_OK(result
)) {
551 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
552 nt_errstr(result
) ));
556 result
= cli_lsa_query_info_policy(&cli
, cli
.mem_ctx
, &lsa_pol
, 5, domain
, psid
);
557 if (!NT_STATUS_IS_OK(result
)) {
558 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
559 nt_errstr(result
) ));