2 Samba Unix/Linux SMB client library
3 Distributed SMB/CIFS Server Management Utility
4 Copyright (C) Gerald (Jerry) Carter 2004
5 Copyright (C) Guenther Deschner 2008
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "utils/net.h"
22 #include "../librpc/gen_ndr/cli_lsa.h"
23 #include "rpc_client/cli_lsarpc.h"
24 #include "rpc_client/init_lsa.h"
26 /********************************************************************
27 ********************************************************************/
29 static NTSTATUS
sid_to_name(struct rpc_pipe_client
*pipe_hnd
,
34 struct policy_handle pol
;
35 enum lsa_SidType
*sid_types
= NULL
;
37 char **domains
= NULL
, **names
= NULL
;
39 result
= rpccli_lsa_open_policy(pipe_hnd
, mem_ctx
, true,
40 SEC_FLAG_MAXIMUM_ALLOWED
, &pol
);
42 if ( !NT_STATUS_IS_OK(result
) )
45 result
= rpccli_lsa_lookup_sids(pipe_hnd
, mem_ctx
, &pol
, 1, sid
, &domains
, &names
, &sid_types
);
47 if ( NT_STATUS_IS_OK(result
) ) {
49 fstr_sprintf( name
, "%s\\%s", domains
[0], names
[0] );
51 fstrcpy( name
, names
[0] );
54 rpccli_lsa_Close(pipe_hnd
, mem_ctx
, &pol
);
58 /********************************************************************
59 ********************************************************************/
61 static NTSTATUS
name_to_sid(struct rpc_pipe_client
*pipe_hnd
,
63 struct dom_sid
*sid
, const char *name
)
65 struct policy_handle pol
;
66 enum lsa_SidType
*sid_types
;
70 /* maybe its a raw SID */
71 if ( strncmp(name
, "S-", 2) == 0 && string_to_sid(sid
, name
) ) {
75 result
= rpccli_lsa_open_policy(pipe_hnd
, mem_ctx
, true,
76 SEC_FLAG_MAXIMUM_ALLOWED
, &pol
);
78 if ( !NT_STATUS_IS_OK(result
) )
81 result
= rpccli_lsa_lookup_names(pipe_hnd
, mem_ctx
, &pol
, 1, &name
,
82 NULL
, 1, &sids
, &sid_types
);
84 if ( NT_STATUS_IS_OK(result
) )
85 sid_copy( sid
, &sids
[0] );
87 rpccli_lsa_Close(pipe_hnd
, mem_ctx
, &pol
);
91 /********************************************************************
92 ********************************************************************/
94 static NTSTATUS
enum_privileges(struct rpc_pipe_client
*pipe_hnd
,
96 struct policy_handle
*pol
)
99 uint32 enum_context
= 0;
100 uint32 pref_max_length
=0x1000;
103 uint16 lang_id_sys
=0;
105 struct lsa_StringLarge
*description
= NULL
;
106 struct lsa_PrivArray priv_array
;
108 result
= rpccli_lsa_EnumPrivs(pipe_hnd
, ctx
,
114 if ( !NT_STATUS_IS_OK(result
) )
119 for (i
= 0; i
< priv_array
.count
; i
++) {
121 struct lsa_String lsa_name
;
124 priv_array
.privs
[i
].name
.string
? priv_array
.privs
[i
].name
.string
: "*unknown*" );
126 /* try to get the description */
128 init_lsa_String(&lsa_name
, priv_array
.privs
[i
].name
.string
);
130 result
= rpccli_lsa_LookupPrivDisplayName(pipe_hnd
, ctx
,
138 if (!NT_STATUS_IS_OK(result
)) {
139 d_printf("??????\n");
143 d_printf("%s\n", description
->string
);
149 /********************************************************************
150 ********************************************************************/
152 static NTSTATUS
check_privilege_for_user(struct rpc_pipe_client
*pipe_hnd
,
154 struct policy_handle
*pol
,
159 struct lsa_RightSet rights
;
162 result
= rpccli_lsa_EnumAccountRights(pipe_hnd
, ctx
,
167 if (!NT_STATUS_IS_OK(result
)) {
171 if (rights
.count
== 0) {
172 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
175 for (i
= 0; i
< rights
.count
; i
++) {
176 if (StrCaseCmp(rights
.names
[i
].string
, right
) == 0) {
181 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
184 /********************************************************************
185 ********************************************************************/
187 static NTSTATUS
enum_privileges_for_user(struct rpc_pipe_client
*pipe_hnd
,
189 struct policy_handle
*pol
,
190 struct dom_sid
*sid
)
193 struct lsa_RightSet rights
;
196 result
= rpccli_lsa_EnumAccountRights(pipe_hnd
, ctx
,
201 if (!NT_STATUS_IS_OK(result
))
204 if (rights
.count
== 0) {
205 d_printf(_("No privileges assigned\n"));
208 for (i
= 0; i
< rights
.count
; i
++) {
209 printf("%s\n", rights
.names
[i
].string
);
215 /********************************************************************
216 ********************************************************************/
218 static NTSTATUS
enum_accounts_for_privilege(struct rpc_pipe_client
*pipe_hnd
,
220 struct policy_handle
*pol
,
221 const char *privilege
)
224 uint32 enum_context
=0;
225 uint32 pref_max_length
=0x1000;
226 struct lsa_SidArray sid_array
;
230 result
= rpccli_lsa_EnumAccounts(pipe_hnd
, ctx
,
236 if (!NT_STATUS_IS_OK(result
))
239 d_printf("%s:\n", privilege
);
241 for ( i
=0; i
<sid_array
.num_sids
; i
++ ) {
243 result
= check_privilege_for_user(pipe_hnd
, ctx
, pol
,
244 sid_array
.sids
[i
].sid
,
247 if ( ! NT_STATUS_IS_OK(result
)) {
248 if ( ! NT_STATUS_EQUAL(result
, NT_STATUS_OBJECT_NAME_NOT_FOUND
)) {
254 /* try to convert the SID to a name. Fall back to
255 printing the raw SID if necessary */
256 result
= sid_to_name( pipe_hnd
, ctx
, sid_array
.sids
[i
].sid
, name
);
257 if ( !NT_STATUS_IS_OK (result
) )
258 sid_to_fstring(name
, sid_array
.sids
[i
].sid
);
260 d_printf(" %s\n", name
);
266 /********************************************************************
267 ********************************************************************/
269 static NTSTATUS
enum_privileges_for_accounts(struct rpc_pipe_client
*pipe_hnd
,
271 struct policy_handle
*pol
)
274 uint32 enum_context
=0;
275 uint32 pref_max_length
=0x1000;
276 struct lsa_SidArray sid_array
;
280 result
= rpccli_lsa_EnumAccounts(pipe_hnd
, ctx
,
286 if (!NT_STATUS_IS_OK(result
))
289 for ( i
=0; i
<sid_array
.num_sids
; i
++ ) {
291 /* try to convert the SID to a name. Fall back to
292 printing the raw SID if necessary */
294 result
= sid_to_name(pipe_hnd
, ctx
, sid_array
.sids
[i
].sid
, name
);
295 if ( !NT_STATUS_IS_OK (result
) )
296 sid_to_fstring(name
, sid_array
.sids
[i
].sid
);
298 d_printf("%s\n", name
);
300 result
= enum_privileges_for_user(pipe_hnd
, ctx
, pol
,
301 sid_array
.sids
[i
].sid
);
302 if ( !NT_STATUS_IS_OK(result
) )
311 /********************************************************************
312 ********************************************************************/
314 static NTSTATUS
rpc_rights_list_internal(struct net_context
*c
,
315 const struct dom_sid
*domain_sid
,
316 const char *domain_name
,
317 struct cli_state
*cli
,
318 struct rpc_pipe_client
*pipe_hnd
,
323 struct policy_handle pol
;
327 struct lsa_String lsa_name
;
328 struct lsa_StringLarge
*description
= NULL
;
330 uint16 lang_id_sys
= 0;
333 result
= rpccli_lsa_open_policy(pipe_hnd
, mem_ctx
, true,
334 SEC_FLAG_MAXIMUM_ALLOWED
, &pol
);
336 if ( !NT_STATUS_IS_OK(result
) )
339 /* backwards compatibility; just list available privileges if no arguement */
342 result
= enum_privileges(pipe_hnd
, mem_ctx
, &pol
);
346 if (strequal(argv
[0], "privileges")) {
349 if (argv
[1] == NULL
) {
350 result
= enum_privileges(pipe_hnd
, mem_ctx
, &pol
);
354 while ( argv
[i
] != NULL
) {
355 fstrcpy(privname
, argv
[i
]);
356 init_lsa_String(&lsa_name
, argv
[i
]);
359 /* verify that this is a valid privilege for error reporting */
360 result
= rpccli_lsa_LookupPrivDisplayName(pipe_hnd
, mem_ctx
,
368 if ( !NT_STATUS_IS_OK(result
) ) {
369 if ( NT_STATUS_EQUAL( result
, NT_STATUS_NO_SUCH_PRIVILEGE
) )
370 d_fprintf(stderr
, _("No such privilege "
371 "exists: %s.\n"), privname
);
373 d_fprintf(stderr
, _("Error resolving "
374 "privilege display name "
380 result
= enum_accounts_for_privilege(pipe_hnd
, mem_ctx
, &pol
, privname
);
381 if (!NT_STATUS_IS_OK(result
)) {
382 d_fprintf(stderr
, _("Error enumerating "
383 "accounts for privilege %s [%s].\n"),
384 privname
, nt_errstr(result
));
391 /* special case to enumerate all privileged SIDs with associated rights */
393 if (strequal( argv
[0], "accounts")) {
396 if (argv
[1] == NULL
) {
397 result
= enum_privileges_for_accounts(pipe_hnd
, mem_ctx
, &pol
);
401 while (argv
[i
] != NULL
) {
402 result
= name_to_sid(pipe_hnd
, mem_ctx
, &sid
, argv
[i
]);
403 if (!NT_STATUS_IS_OK(result
)) {
406 result
= enum_privileges_for_user(pipe_hnd
, mem_ctx
, &pol
, &sid
);
407 if (!NT_STATUS_IS_OK(result
)) {
415 /* backward comaptibility: if no keyword provided, treat the key
416 as an account name */
418 d_printf("%s net rpc rights list [[accounts|privileges] "
419 "[name|SID]]\n", _("Usage:"));
420 result
= NT_STATUS_OK
;
424 result
= name_to_sid(pipe_hnd
, mem_ctx
, &sid
, argv
[0]);
425 if (!NT_STATUS_IS_OK(result
)) {
428 result
= enum_privileges_for_user(pipe_hnd
, mem_ctx
, &pol
, &sid
);
431 rpccli_lsa_Close(pipe_hnd
, mem_ctx
, &pol
);
436 /********************************************************************
437 ********************************************************************/
439 static NTSTATUS
rpc_rights_grant_internal(struct net_context
*c
,
440 const struct dom_sid
*domain_sid
,
441 const char *domain_name
,
442 struct cli_state
*cli
,
443 struct rpc_pipe_client
*pipe_hnd
,
448 struct policy_handle dom_pol
;
449 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
450 struct lsa_RightSet rights
;
458 _(" net rpc rights grant <name|SID> <rights...>\n"));
462 result
= name_to_sid(pipe_hnd
, mem_ctx
, &sid
, argv
[0]);
463 if (NT_STATUS_EQUAL(result
, NT_STATUS_NONE_MAPPED
))
464 result
= NT_STATUS_NO_SUCH_USER
;
466 if (!NT_STATUS_IS_OK(result
))
469 result
= rpccli_lsa_open_policy2(pipe_hnd
, mem_ctx
, true,
470 SEC_FLAG_MAXIMUM_ALLOWED
,
473 if (!NT_STATUS_IS_OK(result
))
476 rights
.count
= argc
-1;
477 rights
.names
= TALLOC_ARRAY(mem_ctx
, struct lsa_StringLarge
,
480 return NT_STATUS_NO_MEMORY
;
483 for (i
=0; i
<argc
-1; i
++) {
484 init_lsa_StringLarge(&rights
.names
[i
], argv
[i
+1]);
487 result
= rpccli_lsa_AddAccountRights(pipe_hnd
, mem_ctx
,
492 if (!NT_STATUS_IS_OK(result
))
495 d_printf(_("Successfully granted rights.\n"));
498 if ( !NT_STATUS_IS_OK(result
) ) {
499 d_fprintf(stderr
, _("Failed to grant privileges for %s (%s)\n"),
500 argv
[0], nt_errstr(result
));
503 rpccli_lsa_Close(pipe_hnd
, mem_ctx
, &dom_pol
);
508 /********************************************************************
509 ********************************************************************/
511 static NTSTATUS
rpc_rights_revoke_internal(struct net_context
*c
,
512 const struct dom_sid
*domain_sid
,
513 const char *domain_name
,
514 struct cli_state
*cli
,
515 struct rpc_pipe_client
*pipe_hnd
,
520 struct policy_handle dom_pol
;
521 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
522 struct lsa_RightSet rights
;
529 _(" net rpc rights revoke <name|SID> <rights...>\n"));
533 result
= name_to_sid(pipe_hnd
, mem_ctx
, &sid
, argv
[0]);
534 if (!NT_STATUS_IS_OK(result
))
537 result
= rpccli_lsa_open_policy2(pipe_hnd
, mem_ctx
, true,
538 SEC_FLAG_MAXIMUM_ALLOWED
,
541 if (!NT_STATUS_IS_OK(result
))
544 rights
.count
= argc
-1;
545 rights
.names
= TALLOC_ARRAY(mem_ctx
, struct lsa_StringLarge
,
548 return NT_STATUS_NO_MEMORY
;
551 for (i
=0; i
<argc
-1; i
++) {
552 init_lsa_StringLarge(&rights
.names
[i
], argv
[i
+1]);
555 result
= rpccli_lsa_RemoveAccountRights(pipe_hnd
, mem_ctx
,
561 if (!NT_STATUS_IS_OK(result
))
564 d_printf(_("Successfully revoked rights.\n"));
567 if ( !NT_STATUS_IS_OK(result
) ) {
568 d_fprintf(stderr
,_("Failed to revoke privileges for %s (%s)\n"),
569 argv
[0], nt_errstr(result
));
572 rpccli_lsa_Close(pipe_hnd
, mem_ctx
, &dom_pol
);
578 /********************************************************************
579 ********************************************************************/
581 static int rpc_rights_list(struct net_context
*c
, int argc
, const char **argv
)
583 if (c
->display_usage
) {
586 _("net rpc rights list [{accounts|privileges} "
588 " View available/assigned privileges\n"));
592 return run_rpc_command(c
, NULL
, &ndr_table_lsarpc
.syntax_id
, 0,
593 rpc_rights_list_internal
, argc
, argv
);
596 /********************************************************************
597 ********************************************************************/
599 static int rpc_rights_grant(struct net_context
*c
, int argc
, const char **argv
)
601 if (c
->display_usage
) {
604 _("net rpc rights grant <name|SID> <right>\n"
605 " Assign privilege[s]\n"));
606 d_printf(_("For example:\n"
607 " net rpc rights grant 'VALE\\biddle' "
608 "SePrintOperatorPrivilege SeDiskOperatorPrivilege\n"
609 " would grant the printer admin and disk manager "
610 "rights to the user 'VALE\\biddle'\n"));
614 return run_rpc_command(c
, NULL
, &ndr_table_lsarpc
.syntax_id
, 0,
615 rpc_rights_grant_internal
, argc
, argv
);
618 /********************************************************************
619 ********************************************************************/
621 static int rpc_rights_revoke(struct net_context
*c
, int argc
, const char **argv
)
623 if (c
->display_usage
) {
626 _("net rpc rights revoke <name|SID> <right>\n"
627 " Revoke privilege[s]\n"));
628 d_printf(_("For example:\n"
629 " net rpc rights revoke 'VALE\\biddle' "
630 "SePrintOperatorPrivilege SeDiskOperatorPrivilege\n"
631 " would revoke the printer admin and disk manager"
632 " rights from the user 'VALE\\biddle'\n"));
636 return run_rpc_command(c
, NULL
, &ndr_table_lsarpc
.syntax_id
, 0,
637 rpc_rights_revoke_internal
, argc
, argv
);
640 /********************************************************************
641 ********************************************************************/
643 int net_rpc_rights(struct net_context
*c
, int argc
, const char **argv
)
645 struct functable func
[] = {
650 N_("View available/assigned privileges"),
651 N_("net rpc rights list\n"
652 " View available/assigned privileges")
658 N_("Assign privilege[s]"),
659 N_("net rpc rights grant\n"
660 " Assign privilege[s]")
666 N_("Revoke privilege[s]"),
667 N_("net rpc rights revoke\n"
668 " Revoke privilege[s]")
670 {NULL
, NULL
, 0, NULL
, NULL
}
673 return net_run_function(c
, argc
, argv
, "net rpc rights", func
);
676 static NTSTATUS
rpc_sh_rights_list(struct net_context
*c
,
677 TALLOC_CTX
*mem_ctx
, struct rpc_sh_ctx
*ctx
,
678 struct rpc_pipe_client
*pipe_hnd
,
679 int argc
, const char **argv
)
681 return rpc_rights_list_internal(c
, ctx
->domain_sid
, ctx
->domain_name
,
682 ctx
->cli
, pipe_hnd
, mem_ctx
,
686 static NTSTATUS
rpc_sh_rights_grant(struct net_context
*c
,
688 struct rpc_sh_ctx
*ctx
,
689 struct rpc_pipe_client
*pipe_hnd
,
690 int argc
, const char **argv
)
692 return rpc_rights_grant_internal(c
, ctx
->domain_sid
, ctx
->domain_name
,
693 ctx
->cli
, pipe_hnd
, mem_ctx
,
697 static NTSTATUS
rpc_sh_rights_revoke(struct net_context
*c
,
699 struct rpc_sh_ctx
*ctx
,
700 struct rpc_pipe_client
*pipe_hnd
,
701 int argc
, const char **argv
)
703 return rpc_rights_revoke_internal(c
, ctx
->domain_sid
, ctx
->domain_name
,
704 ctx
->cli
, pipe_hnd
, mem_ctx
,
708 struct rpc_sh_cmd
*net_rpc_rights_cmds(struct net_context
*c
, TALLOC_CTX
*mem_ctx
,
709 struct rpc_sh_ctx
*ctx
)
711 static struct rpc_sh_cmd cmds
[] = {
713 { "list", NULL
, &ndr_table_lsarpc
.syntax_id
, rpc_sh_rights_list
,
714 N_("View available or assigned privileges") },
716 { "grant", NULL
, &ndr_table_lsarpc
.syntax_id
, rpc_sh_rights_grant
,
717 N_("Assign privilege[s]") },
719 { "revoke", NULL
, &ndr_table_lsarpc
.syntax_id
, rpc_sh_rights_revoke
,
720 N_("Revoke privilege[s]") },
722 { NULL
, NULL
, 0, NULL
, NULL
}