search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Lift the server_messaging_context from notify_job_status
[Samba/gbeck.git] / source3 / rpcclient / cmd_lsarpc.c
blob9db316f7e49d3ae594f45f0d119b7b7a6a83dcb0
1 /*
2 Unix SMB/CIFS implementation.
3 RPC pipe client
4
5 Copyright (C) Tim Potter 2000
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Guenther Deschner 2008
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "rpcclient.h"
25 #include "../libcli/auth/libcli_auth.h"
26 #include "../librpc/gen_ndr/ndr_lsa.h"
27 #include "../librpc/gen_ndr/cli_lsa.h"
28 #include "rpc_client/cli_lsarpc.h"
29
30 /* useful function to allow entering a name instead of a SID and
31 * looking it up automatically */
32 static NTSTATUS name_to_sid(struct rpc_pipe_client *cli,
33 TALLOC_CTX *mem_ctx,
34 struct dom_sid *sid, const char *name)
35 {
36 struct policy_handle pol;
37 enum lsa_SidType *sid_types;
38 NTSTATUS result;
39 struct dom_sid *sids;
40
41 /* maybe its a raw SID */
42 if (strncmp(name, "S-", 2) == 0 &&
43 string_to_sid(sid, name)) {
44 return NT_STATUS_OK;
45 }
46
47 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
48 SEC_FLAG_MAXIMUM_ALLOWED,
49 &pol);
50 if (!NT_STATUS_IS_OK(result))
51 goto done;
52
53 result = rpccli_lsa_lookup_names(cli, mem_ctx, &pol, 1, &name, NULL, 1, &sids, &sid_types);
54 if (!NT_STATUS_IS_OK(result))
55 goto done;
56
57 rpccli_lsa_Close(cli, mem_ctx, &pol);
58
59 *sid = sids[0];
60
61 done:
62 return result;
63 }
64
65 static void display_query_info_1(struct lsa_AuditLogInfo *r)
66 {
67 d_printf("percent_full:\t%d\n", r->percent_full);
68 d_printf("maximum_log_size:\t%d\n", r->maximum_log_size);
69 d_printf("retention_time:\t%lld\n", (long long)r->retention_time);
70 d_printf("shutdown_in_progress:\t%d\n", r->shutdown_in_progress);
71 d_printf("time_to_shutdown:\t%lld\n", (long long)r->time_to_shutdown);
72 d_printf("next_audit_record:\t%d\n", r->next_audit_record);
73 }
74
75 static void display_query_info_2(struct lsa_AuditEventsInfo *r)
76 {
77 int i;
78 d_printf("Auditing enabled:\t%d\n", r->auditing_mode);
79 d_printf("Auditing categories:\t%d\n", r->count);
80 d_printf("Auditsettings:\n");
81 for (i=0; i<r->count; i++) {
82 const char *val = audit_policy_str(talloc_tos(), r->settings[i]);
83 const char *policy = audit_description_str(i);
84 d_printf("%s:\t%s\n", policy, val);
85 }
86 }
87
88 static void display_query_info_3(struct lsa_DomainInfo *r)
89 {
90 d_printf("Domain Name: %s\n", r->name.string);
91 d_printf("Domain Sid: %s\n", sid_string_tos(r->sid));
92 }
93
94 static void display_query_info_5(struct lsa_DomainInfo *r)
95 {
96 d_printf("Domain Name: %s\n", r->name.string);
97 d_printf("Domain Sid: %s\n", sid_string_tos(r->sid));
98 }
99
100 static void display_query_info_10(struct lsa_AuditFullSetInfo *r)
101 {
102 d_printf("Shutdown on full: %d\n", r->shutdown_on_full);
103 }
104
105 static void display_query_info_11(struct lsa_AuditFullQueryInfo *r)
106 {
107 d_printf("Shutdown on full: %d\n", r->shutdown_on_full);
108 d_printf("Log is full: %d\n", r->log_is_full);
109 }
110
111 static void display_query_info_12(struct lsa_DnsDomainInfo *r)
112 {
113 d_printf("Domain NetBios Name: %s\n", r->name.string);
114 d_printf("Domain DNS Name: %s\n", r->dns_domain.string);
115 d_printf("Domain Forest Name: %s\n", r->dns_forest.string);
116 d_printf("Domain Sid: %s\n", sid_string_tos(r->sid));
117 d_printf("Domain GUID: %s\n", GUID_string(talloc_tos(),
118 &r->domain_guid));
119 }
120
121 static void display_lsa_query_info(union lsa_PolicyInformation *info,
122 enum lsa_PolicyInfo level)
123 {
124 switch (level) {
125 case 1:
126 display_query_info_1(&info->audit_log);
127 break;
128 case 2:
129 display_query_info_2(&info->audit_events);
130 break;
131 case 3:
132 display_query_info_3(&info->domain);
133 break;
134 case 5:
135 display_query_info_5(&info->account_domain);
136 break;
137 case 10:
138 display_query_info_10(&info->auditfullset);
139 break;
140 case 11:
141 display_query_info_11(&info->auditfullquery);
142 break;
143 case 12:
144 display_query_info_12(&info->dns);
145 break;
146 default:
147 printf("can't display info level: %d\n", level);
148 break;
149 }
150 }
151
152 static NTSTATUS cmd_lsa_query_info_policy(struct rpc_pipe_client *cli,
153 TALLOC_CTX *mem_ctx, int argc,
154 const char **argv)
155 {
156 struct policy_handle pol;
157 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
158 union lsa_PolicyInformation *info = NULL;
159
160 uint32 info_class = 3;
161
162 if (argc > 2) {
163 printf("Usage: %s [info_class]\n", argv[0]);
164 return NT_STATUS_OK;
165 }
166
167 if (argc == 2)
168 info_class = atoi(argv[1]);
169
170 switch (info_class) {
171 case 12:
172 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
173 SEC_FLAG_MAXIMUM_ALLOWED,
174 &pol);
175
176 if (!NT_STATUS_IS_OK(result))
177 goto done;
178
179 result = rpccli_lsa_QueryInfoPolicy2(cli, mem_ctx,
180 &pol,
181 info_class,
182 &info);
183 break;
184 default:
185 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
186 SEC_FLAG_MAXIMUM_ALLOWED,
187 &pol);
188
189 if (!NT_STATUS_IS_OK(result))
190 goto done;
191
192 result = rpccli_lsa_QueryInfoPolicy(cli, mem_ctx,
193 &pol,
194 info_class,
195 &info);
196 }
197
198 if (NT_STATUS_IS_OK(result)) {
199 display_lsa_query_info(info, info_class);
200 }
201
202 rpccli_lsa_Close(cli, mem_ctx, &pol);
203
204 done:
205 return result;
206 }
207
208 /* Resolve a list of names to a list of sids */
209
210 static NTSTATUS cmd_lsa_lookup_names(struct rpc_pipe_client *cli,
211 TALLOC_CTX *mem_ctx, int argc,
212 const char **argv)
213 {
214 struct policy_handle pol;
215 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
216 struct dom_sid *sids;
217 enum lsa_SidType *types;
218 int i;
219
220 if (argc == 1) {
221 printf("Usage: %s [name1 [name2 [...]]]\n", argv[0]);
222 return NT_STATUS_OK;
223 }
224
225 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
226 SEC_FLAG_MAXIMUM_ALLOWED,
227 &pol);
228
229 if (!NT_STATUS_IS_OK(result))
230 goto done;
231
232 result = rpccli_lsa_lookup_names(cli, mem_ctx, &pol, argc - 1,
233 (const char**)(argv + 1), NULL, 1, &sids, &types);
234
235 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
236 NT_STATUS_V(STATUS_SOME_UNMAPPED))
237 goto done;
238
239 result = NT_STATUS_OK;
240
241 /* Print results */
242
243 for (i = 0; i < (argc - 1); i++) {
244 fstring sid_str;
245 sid_to_fstring(sid_str, &sids[i]);
246 printf("%s %s (%s: %d)\n", argv[i + 1], sid_str,
247 sid_type_lookup(types[i]), types[i]);
248 }
249
250 rpccli_lsa_Close(cli, mem_ctx, &pol);
251
252 done:
253 return result;
254 }
255
256 /* Resolve a list of names to a list of sids */
257
258 static NTSTATUS cmd_lsa_lookup_names_level(struct rpc_pipe_client *cli,
259 TALLOC_CTX *mem_ctx, int argc,
260 const char **argv)
261 {
262 struct policy_handle pol;
263 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
264 struct dom_sid *sids;
265 enum lsa_SidType *types;
266 int i, level;
267
268 if (argc < 3) {
269 printf("Usage: %s [level] [name1 [name2 [...]]]\n", argv[0]);
270 return NT_STATUS_OK;
271 }
272
273 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
274 SEC_FLAG_MAXIMUM_ALLOWED,
275 &pol);
276
277 if (!NT_STATUS_IS_OK(result))
278 goto done;
279
280 level = atoi(argv[1]);
281
282 result = rpccli_lsa_lookup_names(cli, mem_ctx, &pol, argc - 2,
283 (const char**)(argv + 2), NULL, level, &sids, &types);
284
285 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
286 NT_STATUS_V(STATUS_SOME_UNMAPPED))
287 goto done;
288
289 result = NT_STATUS_OK;
290
291 /* Print results */
292
293 for (i = 0; i < (argc - 2); i++) {
294 fstring sid_str;
295 sid_to_fstring(sid_str, &sids[i]);
296 printf("%s %s (%s: %d)\n", argv[i + 2], sid_str,
297 sid_type_lookup(types[i]), types[i]);
298 }
299
300 rpccli_lsa_Close(cli, mem_ctx, &pol);
301
302 done:
303 return result;
304 }
305
306 static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_client *cli,
307 TALLOC_CTX *mem_ctx, int argc,
308 const char **argv)
309 {
310 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
311
312 uint32_t num_names;
313 struct lsa_String *names;
314 struct lsa_RefDomainList *domains;
315 struct lsa_TransSidArray3 sids;
316 uint32_t count = 0;
317 int i;
318
319 if (argc == 1) {
320 printf("Usage: %s [name1 [name2 [...]]]\n", argv[0]);
321 return NT_STATUS_OK;
322 }
323
324 ZERO_STRUCT(sids);
325
326 num_names = argc-1;
327 names = talloc_array(mem_ctx, struct lsa_String, num_names);
328 NT_STATUS_HAVE_NO_MEMORY(names);
329
330 for (i=0; i < num_names; i++) {
331 init_lsa_String(&names[i], argv[i+1]);
332 }
333
334 result = rpccli_lsa_LookupNames4(cli, mem_ctx,
335 num_names,
336 names,
337 &domains,
338 &sids,
339 1,
340 &count,
341 0,
342 0);
343 if (!NT_STATUS_IS_OK(result)) {
344 return result;
345 }
346
347 for (i = 0; i < sids.count; i++) {
348 fstring sid_str;
349 sid_to_fstring(sid_str, sids.sids[i].sid);
350 printf("%s %s (%s: %d)\n", argv[i+1], sid_str,
351 sid_type_lookup(sids.sids[i].sid_type),
352 sids.sids[i].sid_type);
353 }
354
355 return result;
356 }
357
358 /* Resolve a list of SIDs to a list of names */
359
360 static NTSTATUS cmd_lsa_lookup_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
361 int argc, const char **argv)
362 {
363 struct policy_handle pol;
364 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
365 struct dom_sid *sids;
366 char **domains;
367 char **names;
368 enum lsa_SidType *types;
369 int i;
370
371 if (argc == 1) {
372 printf("Usage: %s [sid1 [sid2 [...]]]\n", argv[0]);
373 return NT_STATUS_OK;
374 }
375
376 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
377 SEC_FLAG_MAXIMUM_ALLOWED,
378 &pol);
379
380 if (!NT_STATUS_IS_OK(result))
381 goto done;
382
383 /* Convert arguments to sids */
384
385 sids = TALLOC_ARRAY(mem_ctx, struct dom_sid, argc - 1);
386
387 if (!sids) {
388 printf("could not allocate memory for %d sids\n", argc - 1);
389 goto done;
390 }
391
392 for (i = 0; i < argc - 1; i++)
393 if (!string_to_sid(&sids[i], argv[i + 1])) {
394 result = NT_STATUS_INVALID_SID;
395 goto done;
396 }
397
398 /* Lookup the SIDs */
399
400 result = rpccli_lsa_lookup_sids(cli, mem_ctx, &pol, argc - 1, sids,
401 &domains, &names, &types);
402
403 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
404 NT_STATUS_V(STATUS_SOME_UNMAPPED))
405 goto done;
406
407 result = NT_STATUS_OK;
408
409 /* Print results */
410
411 for (i = 0; i < (argc - 1); i++) {
412 fstring sid_str;
413
414 sid_to_fstring(sid_str, &sids[i]);
415 printf("%s %s\\%s (%d)\n", sid_str,
416 domains[i] ? domains[i] : "*unknown*",
417 names[i] ? names[i] : "*unknown*", types[i]);
418 }
419
420 rpccli_lsa_Close(cli, mem_ctx, &pol);
421
422 done:
423 return result;
424 }
425
426 /* Resolve a list of SIDs to a list of names */
427
428 static NTSTATUS cmd_lsa_lookup_sids3(struct rpc_pipe_client *cli,
429 TALLOC_CTX *mem_ctx,
430 int argc, const char **argv)
431 {
432 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
433 int i;
434 struct lsa_SidArray sids;
435 struct lsa_RefDomainList *domains;
436 struct lsa_TransNameArray2 names;
437 uint32_t count = 0;
438
439 if (argc == 1) {
440 printf("Usage: %s [sid1 [sid2 [...]]]\n", argv[0]);
441 return NT_STATUS_OK;
442 }
443
444 ZERO_STRUCT(names);
445
446 /* Convert arguments to sids */
447
448 sids.num_sids = argc-1;
449 sids.sids = talloc_array(mem_ctx, struct lsa_SidPtr, sids.num_sids);
450 if (!sids.sids) {
451 printf("could not allocate memory for %d sids\n", sids.num_sids);
452 goto done;
453 }
454
455 for (i = 0; i < sids.num_sids; i++) {
456 sids.sids[i].sid = talloc(sids.sids, struct dom_sid);
457 if (sids.sids[i].sid == NULL) {
458 result = NT_STATUS_NO_MEMORY;
459 goto done;
460 }
461 if (!string_to_sid(sids.sids[i].sid, argv[i+1])) {
462 result = NT_STATUS_INVALID_SID;
463 goto done;
464 }
465 }
466
467 /* Lookup the SIDs */
468 result = rpccli_lsa_LookupSids3(cli, mem_ctx,
469 &sids,
470 &domains,
471 &names,
472 1,
473 &count,
474 0,
475 0);
476
477 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
478 NT_STATUS_V(STATUS_SOME_UNMAPPED))
479 goto done;
480
481 result = NT_STATUS_OK;
482
483 /* Print results */
484
485 for (i = 0; i < count; i++) {
486 fstring sid_str;
487
488 sid_to_fstring(sid_str, sids.sids[i].sid);
489 printf("%s %s (%d)\n", sid_str,
490 names.names[i].name.string,
491 names.names[i].sid_type);
492 }
493
494 done:
495 return result;
496 }
497
498
499 /* Enumerate list of trusted domains */
500
501 static NTSTATUS cmd_lsa_enum_trust_dom(struct rpc_pipe_client *cli,
502 TALLOC_CTX *mem_ctx, int argc,
503 const char **argv)
504 {
505 struct policy_handle pol;
506 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
507 struct lsa_DomainList domain_list;
508
509 /* defaults, but may be changed using params */
510 uint32 enum_ctx = 0;
511 int i;
512 uint32_t max_size = (uint32_t)-1;
513
514 if (argc > 2) {
515 printf("Usage: %s [enum context (0)]\n", argv[0]);
516 return NT_STATUS_OK;
517 }
518
519 if (argc == 2 && argv[1]) {
520 enum_ctx = atoi(argv[2]);
521 }
522
523 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
524 LSA_POLICY_VIEW_LOCAL_INFORMATION,
525 &pol);
526
527 if (!NT_STATUS_IS_OK(result))
528 goto done;
529
530 result = STATUS_MORE_ENTRIES;
531
532 while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
533
534 /* Lookup list of trusted domains */
535
536 result = rpccli_lsa_EnumTrustDom(cli, mem_ctx,
537 &pol,
538 &enum_ctx,
539 &domain_list,
540 max_size);
541 if (!NT_STATUS_IS_OK(result) &&
542 !NT_STATUS_EQUAL(result, NT_STATUS_NO_MORE_ENTRIES) &&
543 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
544 goto done;
545
546 /* Print results: list of names and sids returned in this
547 * response. */
548 for (i = 0; i < domain_list.count; i++) {
549 fstring sid_str;
550
551 sid_to_fstring(sid_str, domain_list.domains[i].sid);
552 printf("%s %s\n",
553 domain_list.domains[i].name.string ?
554 domain_list.domains[i].name.string : "*unknown*",
555 sid_str);
556 }
557 }
558
559 rpccli_lsa_Close(cli, mem_ctx, &pol);
560 done:
561 return result;
562 }
563
564 /* Enumerates privileges */
565
566 static NTSTATUS cmd_lsa_enum_privilege(struct rpc_pipe_client *cli,
567 TALLOC_CTX *mem_ctx, int argc,
568 const char **argv)
569 {
570 struct policy_handle pol;
571 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
572 struct lsa_PrivArray priv_array;
573
574 uint32 enum_context=0;
575 uint32 pref_max_length=0x1000;
576 int i;
577
578 if (argc > 3) {
579 printf("Usage: %s [enum context] [max length]\n", argv[0]);
580 return NT_STATUS_OK;
581 }
582
583 if (argc>=2)
584 enum_context=atoi(argv[1]);
585
586 if (argc==3)
587 pref_max_length=atoi(argv[2]);
588
589 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
590 SEC_FLAG_MAXIMUM_ALLOWED,
591 &pol);
592
593 if (!NT_STATUS_IS_OK(result))
594 goto done;
595
596 result = rpccli_lsa_EnumPrivs(cli, mem_ctx,
597 &pol,
598 &enum_context,
599 &priv_array,
600 pref_max_length);
601 if (!NT_STATUS_IS_OK(result))
602 goto done;
603
604 /* Print results */
605 printf("found %d privileges\n\n", priv_array.count);
606
607 for (i = 0; i < priv_array.count; i++) {
608 printf("%s \t\t%d:%d (0x%x:0x%x)\n",
609 priv_array.privs[i].name.string ? priv_array.privs[i].name.string : "*unknown*",
610 priv_array.privs[i].luid.high,
611 priv_array.privs[i].luid.low,
612 priv_array.privs[i].luid.high,
613 priv_array.privs[i].luid.low);
614 }
615
616 rpccli_lsa_Close(cli, mem_ctx, &pol);
617 done:
618 return result;
619 }
620
621 /* Get privilege name */
622
623 static NTSTATUS cmd_lsa_get_dispname(struct rpc_pipe_client *cli,
624 TALLOC_CTX *mem_ctx, int argc,
625 const char **argv)
626 {
627 struct policy_handle pol;
628 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
629
630 uint16 lang_id=0;
631 uint16 lang_id_sys=0;
632 uint16 lang_id_desc;
633 struct lsa_String lsa_name;
634 struct lsa_StringLarge *description = NULL;
635
636 if (argc != 2) {
637 printf("Usage: %s privilege name\n", argv[0]);
638 return NT_STATUS_OK;
639 }
640
641 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
642 SEC_FLAG_MAXIMUM_ALLOWED,
643 &pol);
644
645 if (!NT_STATUS_IS_OK(result))
646 goto done;
647
648 init_lsa_String(&lsa_name, argv[1]);
649
650 result = rpccli_lsa_LookupPrivDisplayName(cli, mem_ctx,
651 &pol,
652 &lsa_name,
653 lang_id,
654 lang_id_sys,
655 &description,
656 &lang_id_desc);
657
658 if (!NT_STATUS_IS_OK(result))
659 goto done;
660
661 /* Print results */
662 printf("%s -> %s (language: 0x%x)\n", argv[1], description->string, lang_id_desc);
663
664 rpccli_lsa_Close(cli, mem_ctx, &pol);
665 done:
666 return result;
667 }
668
669 /* Enumerate the LSA SIDS */
670
671 static NTSTATUS cmd_lsa_enum_sids(struct rpc_pipe_client *cli,
672 TALLOC_CTX *mem_ctx, int argc,
673 const char **argv)
674 {
675 struct policy_handle pol;
676 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
677
678 uint32 enum_context=0;
679 uint32 pref_max_length=0x1000;
680 struct lsa_SidArray sid_array;
681 int i;
682
683 if (argc > 3) {
684 printf("Usage: %s [enum context] [max length]\n", argv[0]);
685 return NT_STATUS_OK;
686 }
687
688 if (argc>=2)
689 enum_context=atoi(argv[1]);
690
691 if (argc==3)
692 pref_max_length=atoi(argv[2]);
693
694 result = rpccli_lsa_open_policy(cli, mem_ctx, True,
695 SEC_FLAG_MAXIMUM_ALLOWED,
696 &pol);
697
698 if (!NT_STATUS_IS_OK(result))
699 goto done;
700
701 result = rpccli_lsa_EnumAccounts(cli, mem_ctx,
702 &pol,
703 &enum_context,
704 &sid_array,
705 pref_max_length);
706
707 if (!NT_STATUS_IS_OK(result))
708 goto done;
709
710 /* Print results */
711 printf("found %d SIDs\n\n", sid_array.num_sids);
712
713 for (i = 0; i < sid_array.num_sids; i++) {
714 fstring sid_str;
715
716 sid_to_fstring(sid_str, sid_array.sids[i].sid);
717 printf("%s\n", sid_str);
718 }
719
720 rpccli_lsa_Close(cli, mem_ctx, &pol);
721 done:
722 return result;
723 }
724
725 /* Create a new account */
726
727 static NTSTATUS cmd_lsa_create_account(struct rpc_pipe_client *cli,
728 TALLOC_CTX *mem_ctx, int argc,
729 const char **argv)
730 {
731 struct policy_handle dom_pol;
732 struct policy_handle user_pol;
733 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
734 uint32 des_access = 0x000f000f;
735
736 struct dom_sid sid;
737
738 if (argc != 2 ) {
739 printf("Usage: %s SID\n", argv[0]);
740 return NT_STATUS_OK;
741 }
742
743 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
744 if (!NT_STATUS_IS_OK(result))
745 goto done;
746
747 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
748 SEC_FLAG_MAXIMUM_ALLOWED,
749 &dom_pol);
750
751 if (!NT_STATUS_IS_OK(result))
752 goto done;
753
754 result = rpccli_lsa_CreateAccount(cli, mem_ctx,
755 &dom_pol,
756 &sid,
757 des_access,
758 &user_pol);
759
760 if (!NT_STATUS_IS_OK(result))
761 goto done;
762
763 printf("Account for SID %s successfully created\n\n", argv[1]);
764 result = NT_STATUS_OK;
765
766 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
767 done:
768 return result;
769 }
770
771
772 /* Enumerate the privileges of an SID */
773
774 static NTSTATUS cmd_lsa_enum_privsaccounts(struct rpc_pipe_client *cli,
775 TALLOC_CTX *mem_ctx, int argc,
776 const char **argv)
777 {
778 struct policy_handle dom_pol;
779 struct policy_handle user_pol;
780 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
781 uint32 access_desired = 0x000f000f;
782 struct dom_sid sid;
783 struct lsa_PrivilegeSet *privs = NULL;
784 int i;
785
786 if (argc != 2 ) {
787 printf("Usage: %s SID\n", argv[0]);
788 return NT_STATUS_OK;
789 }
790
791 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
792 if (!NT_STATUS_IS_OK(result))
793 goto done;
794
795 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
796 SEC_FLAG_MAXIMUM_ALLOWED,
797 &dom_pol);
798
799 if (!NT_STATUS_IS_OK(result))
800 goto done;
801
802 result = rpccli_lsa_OpenAccount(cli, mem_ctx,
803 &dom_pol,
804 &sid,
805 access_desired,
806 &user_pol);
807
808 if (!NT_STATUS_IS_OK(result))
809 goto done;
810
811 result = rpccli_lsa_EnumPrivsAccount(cli, mem_ctx,
812 &user_pol,
813 &privs);
814
815 if (!NT_STATUS_IS_OK(result))
816 goto done;
817
818 /* Print results */
819 printf("found %d privileges for SID %s\n\n", privs->count, argv[1]);
820 printf("high\tlow\tattribute\n");
821
822 for (i = 0; i < privs->count; i++) {
823 printf("%u\t%u\t%u\n",
824 privs->set[i].luid.high,
825 privs->set[i].luid.low,
826 privs->set[i].attribute);
827 }
828
829 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
830 done:
831 return result;
832 }
833
834
835 /* Enumerate the privileges of an SID via LsaEnumerateAccountRights */
836
837 static NTSTATUS cmd_lsa_enum_acct_rights(struct rpc_pipe_client *cli,
838 TALLOC_CTX *mem_ctx, int argc,
839 const char **argv)
840 {
841 struct policy_handle dom_pol;
842 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
843 struct dom_sid sid;
844 struct lsa_RightSet rights;
845
846 int i;
847
848 if (argc != 2 ) {
849 printf("Usage: %s SID\n", argv[0]);
850 return NT_STATUS_OK;
851 }
852
853 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
854 if (!NT_STATUS_IS_OK(result))
855 goto done;
856
857 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
858 SEC_FLAG_MAXIMUM_ALLOWED,
859 &dom_pol);
860
861 if (!NT_STATUS_IS_OK(result))
862 goto done;
863
864 result = rpccli_lsa_EnumAccountRights(cli, mem_ctx,
865 &dom_pol,
866 &sid,
867 &rights);
868
869 if (!NT_STATUS_IS_OK(result))
870 goto done;
871
872 printf("found %d privileges for SID %s\n", rights.count,
873 sid_string_tos(&sid));
874
875 for (i = 0; i < rights.count; i++) {
876 printf("\t%s\n", rights.names[i].string);
877 }
878
879 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
880 done:
881 return result;
882 }
883
884
885 /* add some privileges to a SID via LsaAddAccountRights */
886
887 static NTSTATUS cmd_lsa_add_acct_rights(struct rpc_pipe_client *cli,
888 TALLOC_CTX *mem_ctx, int argc,
889 const char **argv)
890 {
891 struct policy_handle dom_pol;
892 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
893 struct lsa_RightSet rights;
894 struct dom_sid sid;
895 int i;
896
897 if (argc < 3 ) {
898 printf("Usage: %s SID [rights...]\n", argv[0]);
899 return NT_STATUS_OK;
900 }
901
902 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
903 if (!NT_STATUS_IS_OK(result))
904 goto done;
905
906 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
907 SEC_FLAG_MAXIMUM_ALLOWED,
908 &dom_pol);
909
910 if (!NT_STATUS_IS_OK(result))
911 goto done;
912
913 rights.count = argc-2;
914 rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
915 rights.count);
916 if (!rights.names) {
917 return NT_STATUS_NO_MEMORY;
918 }
919
920 for (i=0; i<argc-2; i++) {
921 init_lsa_StringLarge(&rights.names[i], argv[i+2]);
922 }
923
924 result = rpccli_lsa_AddAccountRights(cli, mem_ctx,
925 &dom_pol,
926 &sid,
927 &rights);
928
929 if (!NT_STATUS_IS_OK(result))
930 goto done;
931
932 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
933 done:
934 return result;
935 }
936
937
938 /* remove some privileges to a SID via LsaRemoveAccountRights */
939
940 static NTSTATUS cmd_lsa_remove_acct_rights(struct rpc_pipe_client *cli,
941 TALLOC_CTX *mem_ctx, int argc,
942 const char **argv)
943 {
944 struct policy_handle dom_pol;
945 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
946 struct lsa_RightSet rights;
947 struct dom_sid sid;
948 int i;
949
950 if (argc < 3 ) {
951 printf("Usage: %s SID [rights...]\n", argv[0]);
952 return NT_STATUS_OK;
953 }
954
955 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
956 if (!NT_STATUS_IS_OK(result))
957 goto done;
958
959 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
960 SEC_FLAG_MAXIMUM_ALLOWED,
961 &dom_pol);
962
963 if (!NT_STATUS_IS_OK(result))
964 goto done;
965
966 rights.count = argc-2;
967 rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
968 rights.count);
969 if (!rights.names) {
970 return NT_STATUS_NO_MEMORY;
971 }
972
973 for (i=0; i<argc-2; i++) {
974 init_lsa_StringLarge(&rights.names[i], argv[i+2]);
975 }
976
977 result = rpccli_lsa_RemoveAccountRights(cli, mem_ctx,
978 &dom_pol,
979 &sid,
980 false,
981 &rights);
982
983 if (!NT_STATUS_IS_OK(result))
984 goto done;
985
986 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
987
988 done:
989 return result;
990 }
991
992
993 /* Get a privilege value given its name */
994
995 static NTSTATUS cmd_lsa_lookup_priv_value(struct rpc_pipe_client *cli,
996 TALLOC_CTX *mem_ctx, int argc,
997 const char **argv)
998 {
999 struct policy_handle pol;
1000 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1001 struct lsa_LUID luid;
1002 struct lsa_String name;
1003
1004 if (argc != 2 ) {
1005 printf("Usage: %s name\n", argv[0]);
1006 return NT_STATUS_OK;
1007 }
1008
1009 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
1010 SEC_FLAG_MAXIMUM_ALLOWED,
1011 &pol);
1012
1013 if (!NT_STATUS_IS_OK(result))
1014 goto done;
1015
1016 init_lsa_String(&name, argv[1]);
1017
1018 result = rpccli_lsa_LookupPrivValue(cli, mem_ctx,
1019 &pol,
1020 &name,
1021 &luid);
1022
1023 if (!NT_STATUS_IS_OK(result))
1024 goto done;
1025
1026 /* Print results */
1027
1028 printf("%u:%u (0x%x:0x%x)\n", luid.high, luid.low, luid.high, luid.low);
1029
1030 rpccli_lsa_Close(cli, mem_ctx, &pol);
1031 done:
1032 return result;
1033 }
1034
1035 /* Query LSA security object */
1036
1037 static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli,
1038 TALLOC_CTX *mem_ctx, int argc,
1039 const char **argv)
1040 {
1041 struct policy_handle pol;
1042 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1043 struct sec_desc_buf *sdb;
1044 uint32 sec_info = SECINFO_DACL;
1045
1046 if (argc < 1 || argc > 2) {
1047 printf("Usage: %s [sec_info]\n", argv[0]);
1048 return NT_STATUS_OK;
1049 }
1050
1051 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
1052 SEC_FLAG_MAXIMUM_ALLOWED,
1053 &pol);
1054
1055 if (argc == 2)
1056 sscanf(argv[1], "%x", &sec_info);
1057
1058 if (!NT_STATUS_IS_OK(result))
1059 goto done;
1060
1061 result = rpccli_lsa_QuerySecurity(cli, mem_ctx,
1062 &pol,
1063 sec_info,
1064 &sdb);
1065 if (!NT_STATUS_IS_OK(result))
1066 goto done;
1067
1068 /* Print results */
1069
1070 display_sec_desc(sdb->sd);
1071
1072 rpccli_lsa_Close(cli, mem_ctx, &pol);
1073 done:
1074 return result;
1075 }
1076
1077 static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p,
1078 uint8_t session_key[16])
1079 {
1080 char *pwd, *pwd_old;
1081
1082 DATA_BLOB data = data_blob_const(p->password->data, p->password->length);
1083 DATA_BLOB data_old = data_blob_const(p->old_password->data, p->old_password->length);
1084 DATA_BLOB session_key_blob = data_blob_const(session_key, sizeof(session_key));
1085
1086 pwd = sess_decrypt_string(talloc_tos(), &data, &session_key_blob);
1087 pwd_old = sess_decrypt_string(talloc_tos(), &data_old, &session_key_blob);
1088
1089 d_printf("Password:\t%s\n", pwd);
1090 d_printf("Old Password:\t%s\n", pwd_old);
1091
1092 talloc_free(pwd);
1093 talloc_free(pwd_old);
1094 }
1095
1096 static void display_trust_dom_info(TALLOC_CTX *mem_ctx,
1097 union lsa_TrustedDomainInfo *info,
1098 enum lsa_TrustDomInfoEnum info_class,
1099 uint8_t nt_hash[16])
1100 {
1101 switch (info_class) {
1102 case LSA_TRUSTED_DOMAIN_INFO_PASSWORD:
1103 display_trust_dom_info_4(&info->password, nt_hash);
1104 break;
1105 default: {
1106 const char *str = NULL;
1107 str = NDR_PRINT_UNION_STRING(mem_ctx,
1108 lsa_TrustedDomainInfo,
1109 info_class, info);
1110 if (str) {
1111 d_printf("%s\n", str);
1112 }
1113 break;
1114 }
1115 }
1116 }
1117
1118 static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli,
1119 TALLOC_CTX *mem_ctx, int argc,
1120 const char **argv)
1121 {
1122 struct policy_handle pol;
1123 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1124 struct dom_sid dom_sid;
1125 uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1126 union lsa_TrustedDomainInfo *info = NULL;
1127 enum lsa_TrustDomInfoEnum info_class = 1;
1128 uint8_t nt_hash[16];
1129
1130 if (argc > 3 || argc < 2) {
1131 printf("Usage: %s [sid] [info_class]\n", argv[0]);
1132 return NT_STATUS_OK;
1133 }
1134
1135 if (!string_to_sid(&dom_sid, argv[1]))
1136 return NT_STATUS_NO_MEMORY;
1137
1138 if (argc == 3)
1139 info_class = atoi(argv[2]);
1140
1141 result = rpccli_lsa_open_policy2(cli, mem_ctx, True, access_mask, &pol);
1142
1143 if (!NT_STATUS_IS_OK(result))
1144 goto done;
1145
1146 result = rpccli_lsa_QueryTrustedDomainInfoBySid(cli, mem_ctx,
1147 &pol,
1148 &dom_sid,
1149 info_class,
1150 &info);
1151 if (!NT_STATUS_IS_OK(result))
1152 goto done;
1153
1154 if (!rpccli_get_pwd_hash(cli, nt_hash)) {
1155 d_fprintf(stderr, "Could not get pwd hash\n");
1156 goto done;
1157 }
1158
1159 display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
1160
1161 done:
1162 rpccli_lsa_Close(cli, mem_ctx, &pol);
1163
1164 return result;
1165 }
1166
1167 static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli,
1168 TALLOC_CTX *mem_ctx, int argc,
1169 const char **argv)
1170 {
1171 struct policy_handle pol;
1172 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1173 uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1174 union lsa_TrustedDomainInfo *info = NULL;
1175 enum lsa_TrustDomInfoEnum info_class = 1;
1176 struct lsa_String trusted_domain;
1177 uint8_t nt_hash[16];
1178
1179 if (argc > 3 || argc < 2) {
1180 printf("Usage: %s [name] [info_class]\n", argv[0]);
1181 return NT_STATUS_OK;
1182 }
1183
1184 if (argc == 3)
1185 info_class = atoi(argv[2]);
1186
1187 result = rpccli_lsa_open_policy2(cli, mem_ctx, True, access_mask, &pol);
1188
1189 if (!NT_STATUS_IS_OK(result))
1190 goto done;
1191
1192 init_lsa_String(&trusted_domain, argv[1]);
1193
1194 result = rpccli_lsa_QueryTrustedDomainInfoByName(cli, mem_ctx,
1195 &pol,
1196 &trusted_domain,
1197 info_class,
1198 &info);
1199 if (!NT_STATUS_IS_OK(result))
1200 goto done;
1201
1202 if (!rpccli_get_pwd_hash(cli, nt_hash)) {
1203 d_fprintf(stderr, "Could not get pwd hash\n");
1204 goto done;
1205 }
1206
1207 display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
1208
1209 done:
1210 rpccli_lsa_Close(cli, mem_ctx, &pol);
1211
1212 return result;
1213 }
1214
1215 static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli,
1216 TALLOC_CTX *mem_ctx, int argc,
1217 const char **argv)
1218 {
1219 struct policy_handle pol, trustdom_pol;
1220 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1221 uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1222 union lsa_TrustedDomainInfo *info = NULL;
1223 struct dom_sid dom_sid;
1224 enum lsa_TrustDomInfoEnum info_class = 1;
1225 uint8_t nt_hash[16];
1226
1227 if (argc > 3 || argc < 2) {
1228 printf("Usage: %s [sid] [info_class]\n", argv[0]);
1229 return NT_STATUS_OK;
1230 }
1231
1232 if (!string_to_sid(&dom_sid, argv[1]))
1233 return NT_STATUS_NO_MEMORY;
1234
1235
1236 if (argc == 3)
1237 info_class = atoi(argv[2]);
1238
1239 result = rpccli_lsa_open_policy2(cli, mem_ctx, True, access_mask, &pol);
1240
1241 if (!NT_STATUS_IS_OK(result))
1242 goto done;
1243
1244 result = rpccli_lsa_OpenTrustedDomain(cli, mem_ctx,
1245 &pol,
1246 &dom_sid,
1247 access_mask,
1248 &trustdom_pol);
1249
1250 if (!NT_STATUS_IS_OK(result))
1251 goto done;
1252
1253 result = rpccli_lsa_QueryTrustedDomainInfo(cli, mem_ctx,
1254 &trustdom_pol,
1255 info_class,
1256 &info);
1257
1258 if (!NT_STATUS_IS_OK(result))
1259 goto done;
1260
1261 if (!rpccli_get_pwd_hash(cli, nt_hash)) {
1262 d_fprintf(stderr, "Could not get pwd hash\n");
1263 goto done;
1264 }
1265
1266 display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
1267
1268 done:
1269 rpccli_lsa_Close(cli, mem_ctx, &pol);
1270
1271 return result;
1272 }
1273
1274 static NTSTATUS cmd_lsa_get_username(struct rpc_pipe_client *cli,
1275 TALLOC_CTX *mem_ctx, int argc,
1276 const char **argv)
1277 {
1278 struct policy_handle pol;
1279 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1280 const char *servername = cli->desthost;
1281 struct lsa_String *account_name = NULL;
1282 struct lsa_String *authority_name = NULL;
1283
1284 if (argc > 2) {
1285 printf("Usage: %s servername\n", argv[0]);
1286 return NT_STATUS_OK;
1287 }
1288
1289 result = rpccli_lsa_open_policy(cli, mem_ctx, true,
1290 SEC_FLAG_MAXIMUM_ALLOWED,
1291 &pol);
1292
1293 if (!NT_STATUS_IS_OK(result)) {
1294 goto done;
1295 }
1296
1297 result = rpccli_lsa_GetUserName(cli, mem_ctx,
1298 servername,
1299 &account_name,
1300 &authority_name);
1301 if (!NT_STATUS_IS_OK(result)) {
1302 goto done;
1303 }
1304
1305 /* Print results */
1306
1307 printf("Account Name: %s, Authority Name: %s\n",
1308 account_name->string, authority_name ? authority_name->string :
1309 "");
1310
1311 rpccli_lsa_Close(cli, mem_ctx, &pol);
1312 done:
1313 return result;
1314 }
1315
1316 static NTSTATUS cmd_lsa_add_priv(struct rpc_pipe_client *cli,
1317 TALLOC_CTX *mem_ctx, int argc,
1318 const char **argv)
1319 {
1320 struct policy_handle dom_pol, user_pol;
1321 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1322 struct lsa_PrivilegeSet privs;
1323 struct lsa_LUIDAttribute *set = NULL;
1324 struct dom_sid sid;
1325 int i;
1326
1327 ZERO_STRUCT(privs);
1328
1329 if (argc < 3 ) {
1330 printf("Usage: %s SID [rights...]\n", argv[0]);
1331 return NT_STATUS_OK;
1332 }
1333
1334 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
1335 if (!NT_STATUS_IS_OK(result)) {
1336 goto done;
1337 }
1338
1339 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
1340 SEC_FLAG_MAXIMUM_ALLOWED,
1341 &dom_pol);
1342
1343 if (!NT_STATUS_IS_OK(result)) {
1344 goto done;
1345 }
1346
1347 result = rpccli_lsa_OpenAccount(cli, mem_ctx,
1348 &dom_pol,
1349 &sid,
1350 SEC_FLAG_MAXIMUM_ALLOWED,
1351 &user_pol);
1352
1353 if (!NT_STATUS_IS_OK(result)) {
1354 goto done;
1355 }
1356
1357 for (i=2; i<argc; i++) {
1358
1359 struct lsa_String priv_name;
1360 struct lsa_LUID luid;
1361
1362 init_lsa_String(&priv_name, argv[i]);
1363
1364 result = rpccli_lsa_LookupPrivValue(cli, mem_ctx,
1365 &dom_pol,
1366 &priv_name,
1367 &luid);
1368 if (!NT_STATUS_IS_OK(result)) {
1369 continue;
1370 }
1371
1372 privs.count++;
1373 set = TALLOC_REALLOC_ARRAY(mem_ctx, set,
1374 struct lsa_LUIDAttribute,
1375 privs.count);
1376 if (!set) {
1377 return NT_STATUS_NO_MEMORY;
1378 }
1379
1380 set[privs.count-1].luid = luid;
1381 set[privs.count-1].attribute = 0;
1382 }
1383
1384 privs.set = set;
1385
1386 result = rpccli_lsa_AddPrivilegesToAccount(cli, mem_ctx,
1387 &user_pol,
1388 &privs);
1389
1390 if (!NT_STATUS_IS_OK(result)) {
1391 goto done;
1392 }
1393
1394 rpccli_lsa_Close(cli, mem_ctx, &user_pol);
1395 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
1396 done:
1397 return result;
1398 }
1399
1400 static NTSTATUS cmd_lsa_del_priv(struct rpc_pipe_client *cli,
1401 TALLOC_CTX *mem_ctx, int argc,
1402 const char **argv)
1403 {
1404 struct policy_handle dom_pol, user_pol;
1405 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1406 struct lsa_PrivilegeSet privs;
1407 struct lsa_LUIDAttribute *set = NULL;
1408 struct dom_sid sid;
1409 int i;
1410
1411 ZERO_STRUCT(privs);
1412
1413 if (argc < 3 ) {
1414 printf("Usage: %s SID [rights...]\n", argv[0]);
1415 return NT_STATUS_OK;
1416 }
1417
1418 result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
1419 if (!NT_STATUS_IS_OK(result)) {
1420 goto done;
1421 }
1422
1423 result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
1424 SEC_FLAG_MAXIMUM_ALLOWED,
1425 &dom_pol);
1426
1427 if (!NT_STATUS_IS_OK(result)) {
1428 goto done;
1429 }
1430
1431 result = rpccli_lsa_OpenAccount(cli, mem_ctx,
1432 &dom_pol,
1433 &sid,
1434 SEC_FLAG_MAXIMUM_ALLOWED,
1435 &user_pol);
1436
1437 if (!NT_STATUS_IS_OK(result)) {
1438 goto done;
1439 }
1440
1441 for (i=2; i<argc; i++) {
1442
1443 struct lsa_String priv_name;
1444 struct lsa_LUID luid;
1445
1446 init_lsa_String(&priv_name, argv[i]);
1447
1448 result = rpccli_lsa_LookupPrivValue(cli, mem_ctx,
1449 &dom_pol,
1450 &priv_name,
1451 &luid);
1452 if (!NT_STATUS_IS_OK(result)) {
1453 continue;
1454 }
1455
1456 privs.count++;
1457 set = TALLOC_REALLOC_ARRAY(mem_ctx, set,
1458 struct lsa_LUIDAttribute,
1459 privs.count);
1460 if (!set) {
1461 return NT_STATUS_NO_MEMORY;
1462 }
1463
1464 set[privs.count-1].luid = luid;
1465 set[privs.count-1].attribute = 0;
1466 }
1467
1468 privs.set = set;
1469
1470
1471 result = rpccli_lsa_RemovePrivilegesFromAccount(cli, mem_ctx,
1472 &user_pol,
1473 false,
1474 &privs);
1475
1476 if (!NT_STATUS_IS_OK(result)) {
1477 goto done;
1478 }
1479
1480 rpccli_lsa_Close(cli, mem_ctx, &user_pol);
1481 rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
1482 done:
1483 return result;
1484 }
1485
1486 static NTSTATUS cmd_lsa_create_secret(struct rpc_pipe_client *cli,
1487 TALLOC_CTX *mem_ctx, int argc,
1488 const char **argv)
1489 {
1490 NTSTATUS status;
1491 struct policy_handle handle, sec_handle;
1492 struct lsa_String name;
1493
1494 if (argc < 2) {
1495 printf("Usage: %s name\n", argv[0]);
1496 return NT_STATUS_OK;
1497 }
1498
1499 status = rpccli_lsa_open_policy2(cli, mem_ctx,
1500 true,
1501 SEC_FLAG_MAXIMUM_ALLOWED,
1502 &handle);
1503 if (!NT_STATUS_IS_OK(status)) {
1504 return status;
1505 }
1506
1507 init_lsa_String(&name, argv[1]);
1508
1509 status = rpccli_lsa_CreateSecret(cli, mem_ctx,
1510 &handle,
1511 name,
1512 SEC_FLAG_MAXIMUM_ALLOWED,
1513 &sec_handle);
1514 if (!NT_STATUS_IS_OK(status)) {
1515 goto done;
1516 }
1517
1518 done:
1519 if (is_valid_policy_hnd(&sec_handle)) {
1520 rpccli_lsa_Close(cli, mem_ctx, &sec_handle);
1521 }
1522 if (is_valid_policy_hnd(&handle)) {
1523 rpccli_lsa_Close(cli, mem_ctx, &handle);
1524 }
1525
1526 return status;
1527 }
1528
1529 static NTSTATUS cmd_lsa_delete_secret(struct rpc_pipe_client *cli,
1530 TALLOC_CTX *mem_ctx, int argc,
1531 const char **argv)
1532 {
1533 NTSTATUS status;
1534 struct policy_handle handle, sec_handle;
1535 struct lsa_String name;
1536
1537 if (argc < 2) {
1538 printf("Usage: %s name\n", argv[0]);
1539 return NT_STATUS_OK;
1540 }
1541
1542 status = rpccli_lsa_open_policy2(cli, mem_ctx,
1543 true,
1544 SEC_FLAG_MAXIMUM_ALLOWED,
1545 &handle);
1546 if (!NT_STATUS_IS_OK(status)) {
1547 return status;
1548 }
1549
1550 init_lsa_String(&name, argv[1]);
1551
1552 status = rpccli_lsa_OpenSecret(cli, mem_ctx,
1553 &handle,
1554 name,
1555 SEC_FLAG_MAXIMUM_ALLOWED,
1556 &sec_handle);
1557 if (!NT_STATUS_IS_OK(status)) {
1558 goto done;
1559 }
1560
1561 status = rpccli_lsa_DeleteObject(cli, mem_ctx,
1562 &sec_handle);
1563 if (!NT_STATUS_IS_OK(status)) {
1564 goto done;
1565 }
1566
1567 done:
1568 if (is_valid_policy_hnd(&sec_handle)) {
1569 rpccli_lsa_Close(cli, mem_ctx, &sec_handle);
1570 }
1571 if (is_valid_policy_hnd(&handle)) {
1572 rpccli_lsa_Close(cli, mem_ctx, &handle);
1573 }
1574
1575 return status;
1576 }
1577
1578 static NTSTATUS cmd_lsa_query_secret(struct rpc_pipe_client *cli,
1579 TALLOC_CTX *mem_ctx, int argc,
1580 const char **argv)
1581 {
1582 NTSTATUS status;
1583 struct policy_handle handle, sec_handle;
1584 struct lsa_String name;
1585 struct lsa_DATA_BUF_PTR new_val;
1586 NTTIME new_mtime = 0;
1587 struct lsa_DATA_BUF_PTR old_val;
1588 NTTIME old_mtime = 0;
1589 DATA_BLOB session_key;
1590 DATA_BLOB new_blob = data_blob_null;
1591 DATA_BLOB old_blob = data_blob_null;
1592 char *new_secret, *old_secret;
1593
1594 if (argc < 2) {
1595 printf("Usage: %s name\n", argv[0]);
1596 return NT_STATUS_OK;
1597 }
1598
1599 status = rpccli_lsa_open_policy2(cli, mem_ctx,
1600 true,
1601 SEC_FLAG_MAXIMUM_ALLOWED,
1602 &handle);
1603 if (!NT_STATUS_IS_OK(status)) {
1604 return status;
1605 }
1606
1607 init_lsa_String(&name, argv[1]);
1608
1609 status = rpccli_lsa_OpenSecret(cli, mem_ctx,
1610 &handle,
1611 name,
1612 SEC_FLAG_MAXIMUM_ALLOWED,
1613 &sec_handle);
1614 if (!NT_STATUS_IS_OK(status)) {
1615 goto done;
1616 }
1617
1618 ZERO_STRUCT(new_val);
1619 ZERO_STRUCT(old_val);
1620
1621 status = rpccli_lsa_QuerySecret(cli, mem_ctx,
1622 &sec_handle,
1623 &new_val,
1624 &new_mtime,
1625 &old_val,
1626 &old_mtime);
1627 if (!NT_STATUS_IS_OK(status)) {
1628 goto done;
1629 }
1630
1631 status = cli_get_session_key(mem_ctx, cli, &session_key);
1632 if (!NT_STATUS_IS_OK(status)) {
1633 goto done;
1634 }
1635
1636 if (new_val.buf) {
1637 new_blob = data_blob_const(new_val.buf->data, new_val.buf->length);
1638 }
1639 if (old_val.buf) {
1640 old_blob = data_blob_const(old_val.buf->data, old_val.buf->length);
1641 }
1642
1643 new_secret = sess_decrypt_string(mem_ctx, &new_blob, &session_key);
1644 old_secret = sess_decrypt_string(mem_ctx, &old_blob, &session_key);
1645 if (new_secret) {
1646 d_printf("new secret: %s\n", new_secret);
1647 }
1648 if (old_secret) {
1649 d_printf("old secret: %s\n", old_secret);
1650 }
1651
1652 done:
1653 if (is_valid_policy_hnd(&sec_handle)) {
1654 rpccli_lsa_Close(cli, mem_ctx, &sec_handle);
1655 }
1656 if (is_valid_policy_hnd(&handle)) {
1657 rpccli_lsa_Close(cli, mem_ctx, &handle);
1658 }
1659
1660 return status;
1661 }
1662
1663 static NTSTATUS cmd_lsa_set_secret(struct rpc_pipe_client *cli,
1664 TALLOC_CTX *mem_ctx, int argc,
1665 const char **argv)
1666 {
1667 NTSTATUS status;
1668 struct policy_handle handle, sec_handle;
1669 struct lsa_String name;
1670 struct lsa_DATA_BUF new_val;
1671 struct lsa_DATA_BUF old_val;
1672 DATA_BLOB enc_key;
1673 DATA_BLOB session_key;
1674
1675 if (argc < 3) {
1676 printf("Usage: %s name secret\n", argv[0]);
1677 return NT_STATUS_OK;
1678 }
1679
1680 status = rpccli_lsa_open_policy2(cli, mem_ctx,
1681 true,
1682 SEC_FLAG_MAXIMUM_ALLOWED,
1683 &handle);
1684 if (!NT_STATUS_IS_OK(status)) {
1685 return status;
1686 }
1687
1688 init_lsa_String(&name, argv[1]);
1689
1690 status = rpccli_lsa_OpenSecret(cli, mem_ctx,
1691 &handle,
1692 name,
1693 SEC_FLAG_MAXIMUM_ALLOWED,
1694 &sec_handle);
1695 if (!NT_STATUS_IS_OK(status)) {
1696 goto done;
1697 }
1698
1699 ZERO_STRUCT(new_val);
1700 ZERO_STRUCT(old_val);
1701
1702 status = cli_get_session_key(mem_ctx, cli, &session_key);
1703 if (!NT_STATUS_IS_OK(status)) {
1704 goto done;
1705 }
1706
1707 enc_key = sess_encrypt_string(argv[2], &session_key);
1708
1709 new_val.length = enc_key.length;
1710 new_val.size = enc_key.length;
1711 new_val.data = enc_key.data;
1712
1713 status = rpccli_lsa_SetSecret(cli, mem_ctx,
1714 &sec_handle,
1715 &new_val,
1716 NULL);
1717 if (!NT_STATUS_IS_OK(status)) {
1718 goto done;
1719 }
1720
1721 done:
1722 if (is_valid_policy_hnd(&sec_handle)) {
1723 rpccli_lsa_Close(cli, mem_ctx, &sec_handle);
1724 }
1725 if (is_valid_policy_hnd(&handle)) {
1726 rpccli_lsa_Close(cli, mem_ctx, &handle);
1727 }
1728
1729 return status;
1730 }
1731
1732 static NTSTATUS cmd_lsa_retrieve_private_data(struct rpc_pipe_client *cli,
1733 TALLOC_CTX *mem_ctx, int argc,
1734 const char **argv)
1735 {
1736 NTSTATUS status;
1737 struct policy_handle handle;
1738 struct lsa_String name;
1739 struct lsa_DATA_BUF *val;
1740 DATA_BLOB session_key;
1741 DATA_BLOB blob = data_blob_null;
1742 char *secret;
1743
1744 if (argc < 2) {
1745 printf("Usage: %s name\n", argv[0]);
1746 return NT_STATUS_OK;
1747 }
1748
1749 status = rpccli_lsa_open_policy2(cli, mem_ctx,
1750 true,
1751 SEC_FLAG_MAXIMUM_ALLOWED,
1752 &handle);
1753 if (!NT_STATUS_IS_OK(status)) {
1754 return status;
1755 }
1756
1757 init_lsa_String(&name, argv[1]);
1758
1759 ZERO_STRUCT(val);
1760
1761 status = rpccli_lsa_RetrievePrivateData(cli, mem_ctx,
1762 &handle,
1763 &name,
1764 &val);
1765 if (!NT_STATUS_IS_OK(status)) {
1766 goto done;
1767 }
1768
1769 status = cli_get_session_key(mem_ctx, cli, &session_key);
1770 if (!NT_STATUS_IS_OK(status)) {
1771 goto done;
1772 }
1773
1774 if (val) {
1775 blob = data_blob_const(val->data, val->length);
1776 }
1777
1778 secret = sess_decrypt_string(mem_ctx, &blob, &session_key);
1779 if (secret) {
1780 d_printf("secret: %s\n", secret);
1781 }
1782
1783 done:
1784 if (is_valid_policy_hnd(&handle)) {
1785 rpccli_lsa_Close(cli, mem_ctx, &handle);
1786 }
1787
1788 return status;
1789 }
1790
1791 static NTSTATUS cmd_lsa_store_private_data(struct rpc_pipe_client *cli,
1792 TALLOC_CTX *mem_ctx, int argc,
1793 const char **argv)
1794 {
1795 NTSTATUS status;
1796 struct policy_handle handle;
1797 struct lsa_String name;
1798 struct lsa_DATA_BUF val;
1799 DATA_BLOB session_key;
1800 DATA_BLOB enc_key;
1801
1802 if (argc < 3) {
1803 printf("Usage: %s name secret\n", argv[0]);
1804 return NT_STATUS_OK;
1805 }
1806
1807 status = rpccli_lsa_open_policy2(cli, mem_ctx,
1808 true,
1809 SEC_FLAG_MAXIMUM_ALLOWED,
1810 &handle);
1811 if (!NT_STATUS_IS_OK(status)) {
1812 return status;
1813 }
1814
1815 init_lsa_String(&name, argv[1]);
1816
1817 ZERO_STRUCT(val);
1818
1819 status = cli_get_session_key(mem_ctx, cli, &session_key);
1820 if (!NT_STATUS_IS_OK(status)) {
1821 goto done;
1822 }
1823
1824 enc_key = sess_encrypt_string(argv[2], &session_key);
1825
1826 val.length = enc_key.length;
1827 val.size = enc_key.length;
1828 val.data = enc_key.data;
1829
1830 status = rpccli_lsa_StorePrivateData(cli, mem_ctx,
1831 &handle,
1832 &name,
1833 &val);
1834 if (!NT_STATUS_IS_OK(status)) {
1835 goto done;
1836 }
1837
1838 done:
1839 if (is_valid_policy_hnd(&handle)) {
1840 rpccli_lsa_Close(cli, mem_ctx, &handle);
1841 }
1842
1843 return status;
1844 }
1845
1846 static NTSTATUS cmd_lsa_create_trusted_domain(struct rpc_pipe_client *cli,
1847 TALLOC_CTX *mem_ctx, int argc,
1848 const char **argv)
1849 {
1850 NTSTATUS status;
1851 struct policy_handle handle, trustdom_handle;
1852 struct dom_sid sid;
1853 struct lsa_DomainInfo info;
1854
1855 if (argc < 3) {
1856 printf("Usage: %s name sid\n", argv[0]);
1857 return NT_STATUS_OK;
1858 }
1859
1860 status = rpccli_lsa_open_policy2(cli, mem_ctx,
1861 true,
1862 SEC_FLAG_MAXIMUM_ALLOWED,
1863 &handle);
1864 if (!NT_STATUS_IS_OK(status)) {
1865 return status;
1866 }
1867
1868 init_lsa_StringLarge(&info.name, argv[1]);
1869 info.sid = &sid;
1870 string_to_sid(&sid, argv[2]);
1871
1872 status = rpccli_lsa_CreateTrustedDomain(cli, mem_ctx,
1873 &handle,
1874 &info,
1875 SEC_FLAG_MAXIMUM_ALLOWED,
1876 &trustdom_handle);
1877 if (!NT_STATUS_IS_OK(status)) {
1878 goto done;
1879 }
1880
1881 done:
1882 if (is_valid_policy_hnd(&trustdom_handle)) {
1883 rpccli_lsa_Close(cli, mem_ctx, &trustdom_handle);
1884 }
1885
1886 if (is_valid_policy_hnd(&handle)) {
1887 rpccli_lsa_Close(cli, mem_ctx, &handle);
1888 }
1889
1890 return status;
1891 }
1892
1893 static NTSTATUS cmd_lsa_delete_trusted_domain(struct rpc_pipe_client *cli,
1894 TALLOC_CTX *mem_ctx, int argc,
1895 const char **argv)
1896 {
1897 NTSTATUS status;
1898 struct policy_handle handle, trustdom_handle;
1899 struct lsa_String name;
1900 struct dom_sid *sid = NULL;
1901
1902 if (argc < 2) {
1903 printf("Usage: %s name\n", argv[0]);
1904 return NT_STATUS_OK;
1905 }
1906
1907 status = rpccli_lsa_open_policy2(cli, mem_ctx,
1908 true,
1909 SEC_FLAG_MAXIMUM_ALLOWED,
1910 &handle);
1911 if (!NT_STATUS_IS_OK(status)) {
1912 return status;
1913 }
1914
1915 init_lsa_String(&name, argv[1]);
1916
1917 status = rpccli_lsa_OpenTrustedDomainByName(cli, mem_ctx,
1918 &handle,
1919 name,
1920 SEC_FLAG_MAXIMUM_ALLOWED,
1921 &trustdom_handle);
1922 if (NT_STATUS_IS_OK(status)) {
1923 goto delete_object;
1924 }
1925
1926 {
1927 uint32_t resume_handle = 0;
1928 struct lsa_DomainList domains;
1929 int i;
1930
1931 status = rpccli_lsa_EnumTrustDom(cli, mem_ctx,
1932 &handle,
1933 &resume_handle,
1934 &domains,
1935 0xffff);
1936 if (!NT_STATUS_IS_OK(status)) {
1937 goto done;
1938 }
1939
1940 for (i=0; i < domains.count; i++) {
1941 if (strequal(domains.domains[i].name.string, argv[1])) {
1942 sid = domains.domains[i].sid;
1943 break;
1944 }
1945 }
1946
1947 if (!sid) {
1948 return NT_STATUS_INVALID_SID;
1949 }
1950 }
1951
1952 status = rpccli_lsa_OpenTrustedDomain(cli, mem_ctx,
1953 &handle,
1954 sid,
1955 SEC_FLAG_MAXIMUM_ALLOWED,
1956 &trustdom_handle);
1957 if (!NT_STATUS_IS_OK(status)) {
1958 goto done;
1959 }
1960
1961 delete_object:
1962 status = rpccli_lsa_DeleteObject(cli, mem_ctx,
1963 &trustdom_handle);
1964 if (!NT_STATUS_IS_OK(status)) {
1965 goto done;
1966 }
1967
1968 done:
1969 if (is_valid_policy_hnd(&trustdom_handle)) {
1970 rpccli_lsa_Close(cli, mem_ctx, &trustdom_handle);
1971 }
1972
1973 if (is_valid_policy_hnd(&handle)) {
1974 rpccli_lsa_Close(cli, mem_ctx, &handle);
1975 }
1976
1977 return status;
1978 }
1979
1980
1981 /* List of commands exported by this module */
1982
1983 struct cmd_set lsarpc_commands[] = {
1984
1985 { "LSARPC" },
1986
1987 { "lsaquery", RPC_RTYPE_NTSTATUS, cmd_lsa_query_info_policy, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query info policy", "" },
1988 { "lookupsids", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_sids, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Convert SIDs to names", "" },
1989 { "lookupsids3", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_sids3, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Convert SIDs to names", "" },
1990 { "lookupnames", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_names, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Convert names to SIDs", "" },
1991 { "lookupnames4", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_names4, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Convert names to SIDs", "" },
1992 { "lookupnames_level", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_names_level, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Convert names to SIDs", "" },
1993 { "enumtrust", RPC_RTYPE_NTSTATUS, cmd_lsa_enum_trust_dom, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Enumerate trusted domains", "Usage: [preferred max number] [enum context (0)]" },
1994 { "enumprivs", RPC_RTYPE_NTSTATUS, cmd_lsa_enum_privilege, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Enumerate privileges", "" },
1995 { "getdispname", RPC_RTYPE_NTSTATUS, cmd_lsa_get_dispname, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Get the privilege name", "" },
1996 { "lsaenumsid", RPC_RTYPE_NTSTATUS, cmd_lsa_enum_sids, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Enumerate the LSA SIDS", "" },
1997 { "lsacreateaccount", RPC_RTYPE_NTSTATUS, cmd_lsa_create_account, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Create a new lsa account", "" },
1998 { "lsaenumprivsaccount", RPC_RTYPE_NTSTATUS, cmd_lsa_enum_privsaccounts, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Enumerate the privileges of an SID", "" },
1999 { "lsaenumacctrights", RPC_RTYPE_NTSTATUS, cmd_lsa_enum_acct_rights, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Enumerate the rights of an SID", "" },
2000 { "lsaaddpriv", RPC_RTYPE_NTSTATUS, cmd_lsa_add_priv, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Assign a privilege to a SID", "" },
2001 { "lsadelpriv", RPC_RTYPE_NTSTATUS, cmd_lsa_del_priv, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Revoke a privilege from a SID", "" },
2002 { "lsaaddacctrights", RPC_RTYPE_NTSTATUS, cmd_lsa_add_acct_rights, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Add rights to an account", "" },
2003 { "lsaremoveacctrights", RPC_RTYPE_NTSTATUS, cmd_lsa_remove_acct_rights, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Remove rights from an account", "" },
2004 { "lsalookupprivvalue", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_priv_value, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Get a privilege value given its name", "" },
2005 { "lsaquerysecobj", RPC_RTYPE_NTSTATUS, cmd_lsa_query_secobj, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query LSA security object", "" },
2006 { "lsaquerytrustdominfo",RPC_RTYPE_NTSTATUS, cmd_lsa_query_trustdominfo, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query LSA trusted domains info (given a SID)", "" },
2007 { "lsaquerytrustdominfobyname",RPC_RTYPE_NTSTATUS, cmd_lsa_query_trustdominfobyname, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query LSA trusted domains info (given a name), only works for Windows > 2k", "" },
2008 { "lsaquerytrustdominfobysid",RPC_RTYPE_NTSTATUS, cmd_lsa_query_trustdominfobysid, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query LSA trusted domains info (given a SID)", "" },
2009 { "getusername", RPC_RTYPE_NTSTATUS, cmd_lsa_get_username, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Get username", "" },
2010 { "createsecret", RPC_RTYPE_NTSTATUS, cmd_lsa_create_secret, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Create Secret", "" },
2011 { "deletesecret", RPC_RTYPE_NTSTATUS, cmd_lsa_delete_secret, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Delete Secret", "" },
2012 { "querysecret", RPC_RTYPE_NTSTATUS, cmd_lsa_query_secret, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query Secret", "" },
2013 { "setsecret", RPC_RTYPE_NTSTATUS, cmd_lsa_set_secret, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Set Secret", "" },
2014 { "retrieveprivatedata", RPC_RTYPE_NTSTATUS, cmd_lsa_retrieve_private_data, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Retrieve Private Data", "" },
2015 { "storeprivatedata", RPC_RTYPE_NTSTATUS, cmd_lsa_store_private_data, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Store Private Data", "" },
2016 { "createtrustdom", RPC_RTYPE_NTSTATUS, cmd_lsa_create_trusted_domain, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Create Trusted Domain", "" },
2017 { "deletetrustdom", RPC_RTYPE_NTSTATUS, cmd_lsa_delete_trusted_domain, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Delete Trusted Domain", "" },
2018
2019 { NULL }
2020 };
2021
WIP