2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /** @defgroup lsa LSA - Local Security Architecture
35 * RPC client routines for the LSA RPC pipe. LSA means "local
36 * security authority", which is half of a password database.
39 /** Open a LSA policy handle
41 * @param cli Handle on an initialised SMB connection */
43 NTSTATUS
rpccli_lsa_open_policy(struct rpc_pipe_client
*cli
,
45 BOOL sec_qos
, uint32 des_access
,
48 prs_struct qbuf
, rbuf
;
57 /* Initialise input parameters */
60 init_lsa_sec_qos(&qos
, 2, 1, 0);
61 init_q_open_pol(&q
, '\\', 0, des_access
, &qos
);
63 init_q_open_pol(&q
, '\\', 0, des_access
, NULL
);
66 /* Marshall data and send request */
68 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_OPENPOLICY
,
73 NT_STATUS_UNSUCCESSFUL
);
75 /* Return output parameters */
79 if (NT_STATUS_IS_OK(result
)) {
82 pol
->marker
= MALLOC(1);
89 /** Open a LSA policy handle
91 * @param cli Handle on an initialised SMB connection
94 NTSTATUS
rpccli_lsa_open_policy2(struct rpc_pipe_client
*cli
,
95 TALLOC_CTX
*mem_ctx
, BOOL sec_qos
,
96 uint32 des_access
, POLICY_HND
*pol
)
98 prs_struct qbuf
, rbuf
;
103 char *srv_name_slash
= talloc_asprintf(mem_ctx
, "\\\\%s", cli
->cli
->desthost
);
109 init_lsa_sec_qos(&qos
, 2, 1, 0);
110 init_q_open_pol2(&q
, srv_name_slash
, 0, des_access
, &qos
);
112 init_q_open_pol2(&q
, srv_name_slash
, 0, des_access
, NULL
);
115 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_OPENPOLICY2
,
120 NT_STATUS_UNSUCCESSFUL
);
122 /* Return output parameters */
126 if (NT_STATUS_IS_OK(result
)) {
129 pol
->marker
= (char *)malloc(1);
136 /** Close a LSA policy handle */
138 NTSTATUS
rpccli_lsa_close(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
141 prs_struct qbuf
, rbuf
;
149 init_lsa_q_close(&q
, pol
);
151 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_CLOSE
,
156 NT_STATUS_UNSUCCESSFUL
);
158 /* Return output parameters */
162 if (NT_STATUS_IS_OK(result
)) {
164 SAFE_FREE(pol
->marker
);
172 /** Lookup a list of sids */
174 NTSTATUS
rpccli_lsa_lookup_sids(struct rpc_pipe_client
*cli
,
176 POLICY_HND
*pol
, int num_sids
,
178 char ***domains
, char ***names
, uint32
**types
)
180 prs_struct qbuf
, rbuf
;
184 LSA_TRANS_NAME_ENUM t_names
;
185 NTSTATUS result
= NT_STATUS_OK
;
191 init_q_lookup_sids(mem_ctx
, &q
, pol
, num_sids
, sids
, 1);
194 ZERO_STRUCT(t_names
);
199 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_LOOKUPSIDS
,
202 lsa_io_q_lookup_sids
,
203 lsa_io_r_lookup_sids
,
204 NT_STATUS_UNSUCCESSFUL
);
206 if (!NT_STATUS_IS_OK(r
.status
) &&
207 NT_STATUS_V(r
.status
) != NT_STATUS_V(STATUS_SOME_UNMAPPED
)) {
209 /* An actual error occured */
215 /* Return output parameters */
217 if (r
.mapped_count
== 0) {
218 result
= NT_STATUS_NONE_MAPPED
;
222 if (!((*domains
) = TALLOC_ARRAY(mem_ctx
, char *, num_sids
))) {
223 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
224 result
= NT_STATUS_UNSUCCESSFUL
;
228 if (!((*names
) = TALLOC_ARRAY(mem_ctx
, char *, num_sids
))) {
229 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
230 result
= NT_STATUS_UNSUCCESSFUL
;
234 if (!((*types
) = TALLOC_ARRAY(mem_ctx
, uint32
, num_sids
))) {
235 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
236 result
= NT_STATUS_UNSUCCESSFUL
;
240 for (i
= 0; i
< num_sids
; i
++) {
241 fstring name
, dom_name
;
242 uint32 dom_idx
= t_names
.name
[i
].domain_idx
;
244 /* Translate optimised name through domain index array */
246 if (dom_idx
!= 0xffffffff) {
248 rpcstr_pull_unistr2_fstring(
249 dom_name
, &ref
.ref_dom
[dom_idx
].uni_dom_name
);
250 rpcstr_pull_unistr2_fstring(
251 name
, &t_names
.uni_name
[i
]);
253 (*names
)[i
] = talloc_strdup(mem_ctx
, name
);
254 (*domains
)[i
] = talloc_strdup(mem_ctx
, dom_name
);
255 (*types
)[i
] = t_names
.name
[i
].sid_name_use
;
257 if (((*names
)[i
] == NULL
) || ((*domains
)[i
] == NULL
)) {
258 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
259 result
= NT_STATUS_UNSUCCESSFUL
;
265 (*domains
)[i
] = NULL
;
266 (*types
)[i
] = SID_NAME_UNKNOWN
;
275 /** Lookup a list of names */
277 NTSTATUS
rpccli_lsa_lookup_names(struct rpc_pipe_client
*cli
,
279 POLICY_HND
*pol
, int num_names
,
281 const char ***dom_names
,
285 prs_struct qbuf
, rbuf
;
286 LSA_Q_LOOKUP_NAMES q
;
287 LSA_R_LOOKUP_NAMES r
;
298 init_q_lookup_names(mem_ctx
, &q
, pol
, num_names
, names
);
300 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_LOOKUPNAMES
,
303 lsa_io_q_lookup_names
,
304 lsa_io_r_lookup_names
,
305 NT_STATUS_UNSUCCESSFUL
);
309 if (!NT_STATUS_IS_OK(result
) && NT_STATUS_V(result
) !=
310 NT_STATUS_V(STATUS_SOME_UNMAPPED
)) {
312 /* An actual error occured */
317 /* Return output parameters */
319 if (r
.mapped_count
== 0) {
320 result
= NT_STATUS_NONE_MAPPED
;
324 if (!((*sids
= TALLOC_ARRAY(mem_ctx
, DOM_SID
, num_names
)))) {
325 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
326 result
= NT_STATUS_UNSUCCESSFUL
;
330 if (!((*types
= TALLOC_ARRAY(mem_ctx
, uint32
, num_names
)))) {
331 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
332 result
= NT_STATUS_UNSUCCESSFUL
;
336 if (dom_names
!= NULL
) {
337 *dom_names
= TALLOC_ARRAY(mem_ctx
, const char *, num_names
);
338 if (*dom_names
== NULL
) {
339 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
340 result
= NT_STATUS_NO_MEMORY
;
345 for (i
= 0; i
< num_names
; i
++) {
346 DOM_RID
*t_rids
= r
.dom_rid
;
347 uint32 dom_idx
= t_rids
[i
].rid_idx
;
348 uint32 dom_rid
= t_rids
[i
].rid
;
349 DOM_SID
*sid
= &(*sids
)[i
];
351 /* Translate optimised sid through domain index array */
353 if (dom_idx
== 0xffffffff) {
354 /* Nothing to do, this is unknown */
356 (*types
)[i
] = SID_NAME_UNKNOWN
;
360 sid_copy(sid
, &ref
.ref_dom
[dom_idx
].ref_dom
.sid
);
362 if (dom_rid
!= 0xffffffff) {
363 sid_append_rid(sid
, dom_rid
);
366 (*types
)[i
] = t_rids
[i
].type
;
368 if (dom_names
== NULL
) {
372 (*dom_names
)[i
] = rpcstr_pull_unistr2_talloc(
373 *dom_names
, &ref
.ref_dom
[dom_idx
].uni_dom_name
);
381 /** Query info policy
383 * @param domain_sid - returned remote server's domain sid */
385 NTSTATUS
rpccli_lsa_query_info_policy(struct rpc_pipe_client
*cli
,
387 POLICY_HND
*pol
, uint16 info_class
,
388 char **domain_name
, DOM_SID
**domain_sid
)
390 prs_struct qbuf
, rbuf
;
398 init_q_query(&q
, pol
, info_class
);
400 CLI_DO_RPC(cli
, mem_ctx
, PI_LSARPC
, LSA_QUERYINFOPOLICY
,
405 NT_STATUS_UNSUCCESSFUL
);
409 if (!NT_STATUS_IS_OK(result
)) {
413 /* Return output parameters */
415 switch (info_class
) {
418 if (domain_name
&& (r
.dom
.id3
.buffer_dom_name
!= 0)) {
419 *domain_name
= unistr2_tdup(mem_ctx
,
424 if (domain_sid
&& (r
.dom
.id3
.buffer_dom_sid
!= 0)) {
425 *domain_sid
= TALLOC_P(mem_ctx
, DOM_SID
);
427 sid_copy(*domain_sid
, &r
.dom
.id3
.dom_sid
.sid
);
435 if (domain_name
&& (r
.dom
.id5
.buffer_dom_name
!= 0)) {
436 *domain_name
= unistr2_tdup(mem_ctx
,
441 if (domain_sid
&& (r
.dom
.id5
.buffer_dom_sid
!= 0)) {
442 *domain_sid
= TALLOC_P(mem_ctx
, DOM_SID
);
444 sid_copy(*domain_sid
, &r
.dom
.id5
.dom_sid
.sid
);
450 DEBUG(3, ("unknown info class %d\n", info_class
));
459 /** Query info policy2
461 * @param domain_name - returned remote server's domain name
462 * @param dns_name - returned remote server's dns domain name
463 * @param forest_name - returned remote server's forest name
464 * @param domain_guid - returned remote server's domain guid
465 * @param domain_sid - returned remote server's domain sid */
467 NTSTATUS
rpccli_lsa_query_info_policy2(struct rpc_pipe_client
*cli
,
469 POLICY_HND
*pol
, uint16 info_class
,
470 char **domain_name
, char **dns_name
,
472 struct uuid
**domain_guid
,
473 DOM_SID
**domain_sid
)
475 prs_struct qbuf
, rbuf
;
478 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
480 if (info_class
!= 12)
486 init_q_query2(&q
, pol
, info_class
);
488 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_QUERYINFO2
,
491 lsa_io_q_query_info2
,
492 lsa_io_r_query_info2
,
493 NT_STATUS_UNSUCCESSFUL
);
497 if (!NT_STATUS_IS_OK(result
)) {
501 /* Return output parameters */
503 ZERO_STRUCTP(domain_guid
);
505 if (domain_name
&& r
.info
.dns_dom_info
.hdr_nb_dom_name
.buffer
) {
506 *domain_name
= unistr2_tdup(mem_ctx
,
510 if (dns_name
&& r
.info
.dns_dom_info
.hdr_dns_dom_name
.buffer
) {
511 *dns_name
= unistr2_tdup(mem_ctx
,
515 if (forest_name
&& r
.info
.dns_dom_info
.hdr_forest_name
.buffer
) {
516 *forest_name
= unistr2_tdup(mem_ctx
,
522 *domain_guid
= TALLOC_P(mem_ctx
, struct uuid
);
524 &r
.info
.dns_dom_info
.dom_guid
,
525 sizeof(struct uuid
));
528 if (domain_sid
&& r
.info
.dns_dom_info
.ptr_dom_sid
!= 0) {
529 *domain_sid
= TALLOC_P(mem_ctx
, DOM_SID
);
531 sid_copy(*domain_sid
,
532 &r
.info
.dns_dom_info
.dom_sid
.sid
);
542 * Enumerate list of trusted domains
544 * @param cli client state (cli_state) structure of the connection
545 * @param mem_ctx memory context
546 * @param pol opened lsa policy handle
547 * @param enum_ctx enumeration context ie. index of first returned domain entry
548 * @param pref_num_domains preferred max number of entries returned in one response
549 * @param num_domains total number of trusted domains returned by response
550 * @param domain_names returned trusted domain names
551 * @param domain_sids returned trusted domain sids
553 * @return nt status code of response
556 NTSTATUS
rpccli_lsa_enum_trust_dom(struct rpc_pipe_client
*cli
,
558 POLICY_HND
*pol
, uint32
*enum_ctx
,
560 char ***domain_names
, DOM_SID
**domain_sids
)
562 prs_struct qbuf
, rbuf
;
563 LSA_Q_ENUM_TRUST_DOM in
;
564 LSA_R_ENUM_TRUST_DOM out
;
571 /* 64k is enough for about 2000 trusted domains */
573 init_q_enum_trust_dom(&in
, pol
, *enum_ctx
, 0x10000);
575 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_ENUMTRUSTDOM
,
578 lsa_io_q_enum_trust_dom
,
579 lsa_io_r_enum_trust_dom
,
580 NT_STATUS_UNSUCCESSFUL
);
583 /* check for an actual error */
585 if ( !NT_STATUS_IS_OK(out
.status
)
586 && !NT_STATUS_EQUAL(out
.status
, NT_STATUS_NO_MORE_ENTRIES
)
587 && !NT_STATUS_EQUAL(out
.status
, STATUS_MORE_ENTRIES
) )
592 /* Return output parameters */
594 *num_domains
= out
.count
;
595 *enum_ctx
= out
.enum_context
;
599 /* Allocate memory for trusted domain names and sids */
601 if ( !(*domain_names
= TALLOC_ARRAY(mem_ctx
, char *, out
.count
)) ) {
602 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
603 return NT_STATUS_NO_MEMORY
;
606 if ( !(*domain_sids
= TALLOC_ARRAY(mem_ctx
, DOM_SID
, out
.count
)) ) {
607 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
608 return NT_STATUS_NO_MEMORY
;
611 /* Copy across names and sids */
613 for (i
= 0; i
< out
.count
; i
++) {
615 rpcstr_pull( tmp
, out
.domlist
->domains
[i
].name
.string
->buffer
,
616 sizeof(tmp
), out
.domlist
->domains
[i
].name
.length
, 0);
617 (*domain_names
)[i
] = talloc_strdup(mem_ctx
, tmp
);
619 sid_copy(&(*domain_sids
)[i
], &out
.domlist
->domains
[i
].sid
->sid
);
626 /** Enumerate privileges*/
628 NTSTATUS
rpccli_lsa_enum_privilege(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
629 POLICY_HND
*pol
, uint32
*enum_context
, uint32 pref_max_length
,
630 uint32
*count
, char ***privs_name
, uint32
**privs_high
, uint32
**privs_low
)
632 prs_struct qbuf
, rbuf
;
641 init_q_enum_privs(&q
, pol
, *enum_context
, pref_max_length
);
643 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_ENUM_PRIVS
,
648 NT_STATUS_UNSUCCESSFUL
);
652 if (!NT_STATUS_IS_OK(result
)) {
656 /* Return output parameters */
658 *enum_context
= r
.enum_context
;
661 if (!((*privs_name
= TALLOC_ARRAY(mem_ctx
, char *, r
.count
)))) {
662 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
663 result
= NT_STATUS_UNSUCCESSFUL
;
667 if (!((*privs_high
= TALLOC_ARRAY(mem_ctx
, uint32
, r
.count
)))) {
668 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
669 result
= NT_STATUS_UNSUCCESSFUL
;
673 if (!((*privs_low
= TALLOC_ARRAY(mem_ctx
, uint32
, r
.count
)))) {
674 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
675 result
= NT_STATUS_UNSUCCESSFUL
;
679 for (i
= 0; i
< r
.count
; i
++) {
682 rpcstr_pull_unistr2_fstring( name
, &r
.privs
[i
].name
);
684 (*privs_name
)[i
] = talloc_strdup(mem_ctx
, name
);
686 (*privs_high
)[i
] = r
.privs
[i
].luid_high
;
687 (*privs_low
)[i
] = r
.privs
[i
].luid_low
;
695 /** Get privilege name */
697 NTSTATUS
rpccli_lsa_get_dispname(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
698 POLICY_HND
*pol
, const char *name
,
699 uint16 lang_id
, uint16 lang_id_sys
,
700 fstring description
, uint16
*lang_id_desc
)
702 prs_struct qbuf
, rbuf
;
703 LSA_Q_PRIV_GET_DISPNAME q
;
704 LSA_R_PRIV_GET_DISPNAME r
;
710 init_lsa_priv_get_dispname(&q
, pol
, name
, lang_id
, lang_id_sys
);
712 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_PRIV_GET_DISPNAME
,
715 lsa_io_q_priv_get_dispname
,
716 lsa_io_r_priv_get_dispname
,
717 NT_STATUS_UNSUCCESSFUL
);
721 if (!NT_STATUS_IS_OK(result
)) {
725 /* Return output parameters */
727 rpcstr_pull_unistr2_fstring(description
, &r
.desc
);
728 *lang_id_desc
= r
.lang_id
;
735 /** Enumerate list of SIDs */
737 NTSTATUS
rpccli_lsa_enum_sids(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
738 POLICY_HND
*pol
, uint32
*enum_ctx
, uint32 pref_max_length
,
739 uint32
*num_sids
, DOM_SID
**sids
)
741 prs_struct qbuf
, rbuf
;
742 LSA_Q_ENUM_ACCOUNTS q
;
743 LSA_R_ENUM_ACCOUNTS r
;
750 init_lsa_q_enum_accounts(&q
, pol
, *enum_ctx
, pref_max_length
);
752 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_ENUM_ACCOUNTS
,
755 lsa_io_q_enum_accounts
,
756 lsa_io_r_enum_accounts
,
757 NT_STATUS_UNSUCCESSFUL
);
761 if (!NT_STATUS_IS_OK(result
)) {
765 if (r
.sids
.num_entries
==0)
768 /* Return output parameters */
770 *sids
= TALLOC_ARRAY(mem_ctx
, DOM_SID
, r
.sids
.num_entries
);
772 DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
773 result
= NT_STATUS_UNSUCCESSFUL
;
777 /* Copy across names and sids */
779 for (i
= 0; i
< r
.sids
.num_entries
; i
++) {
780 sid_copy(&(*sids
)[i
], &r
.sids
.sid
[i
].sid
);
783 *num_sids
= r
.sids
.num_entries
;
784 *enum_ctx
= r
.enum_context
;
791 /** Create a LSA user handle
793 * @param cli Handle on an initialised SMB connection
795 * FIXME: The code is actually identical to open account
796 * TODO: Check and code what the function should exactly do
800 NTSTATUS
rpccli_lsa_create_account(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
801 POLICY_HND
*dom_pol
, DOM_SID
*sid
, uint32 desired_access
,
802 POLICY_HND
*user_pol
)
804 prs_struct qbuf
, rbuf
;
805 LSA_Q_CREATEACCOUNT q
;
806 LSA_R_CREATEACCOUNT r
;
812 /* Initialise input parameters */
814 init_lsa_q_create_account(&q
, dom_pol
, sid
, desired_access
);
816 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_CREATEACCOUNT
,
819 lsa_io_q_create_account
,
820 lsa_io_r_create_account
,
821 NT_STATUS_UNSUCCESSFUL
);
823 /* Return output parameters */
827 if (NT_STATUS_IS_OK(result
)) {
834 /** Open a LSA user handle
836 * @param cli Handle on an initialised SMB connection */
838 NTSTATUS
rpccli_lsa_open_account(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
839 POLICY_HND
*dom_pol
, DOM_SID
*sid
, uint32 des_access
,
840 POLICY_HND
*user_pol
)
842 prs_struct qbuf
, rbuf
;
850 /* Initialise input parameters */
852 init_lsa_q_open_account(&q
, dom_pol
, sid
, des_access
);
854 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_OPENACCOUNT
,
857 lsa_io_q_open_account
,
858 lsa_io_r_open_account
,
859 NT_STATUS_UNSUCCESSFUL
);
861 /* Return output parameters */
865 if (NT_STATUS_IS_OK(result
)) {
872 /** Enumerate user privileges
874 * @param cli Handle on an initialised SMB connection */
876 NTSTATUS
rpccli_lsa_enum_privsaccount(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
877 POLICY_HND
*pol
, uint32
*count
, LUID_ATTR
**set
)
879 prs_struct qbuf
, rbuf
;
880 LSA_Q_ENUMPRIVSACCOUNT q
;
881 LSA_R_ENUMPRIVSACCOUNT r
;
888 /* Initialise input parameters */
890 init_lsa_q_enum_privsaccount(&q
, pol
);
892 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_ENUMPRIVSACCOUNT
,
895 lsa_io_q_enum_privsaccount
,
896 lsa_io_r_enum_privsaccount
,
897 NT_STATUS_UNSUCCESSFUL
);
899 /* Return output parameters */
903 if (!NT_STATUS_IS_OK(result
)) {
910 if (!((*set
= TALLOC_ARRAY(mem_ctx
, LUID_ATTR
, r
.count
)))) {
911 DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
912 result
= NT_STATUS_UNSUCCESSFUL
;
916 for (i
=0; i
<r
.count
; i
++) {
917 (*set
)[i
].luid
.low
= r
.set
.set
[i
].luid
.low
;
918 (*set
)[i
].luid
.high
= r
.set
.set
[i
].luid
.high
;
919 (*set
)[i
].attr
= r
.set
.set
[i
].attr
;
928 /** Get a privilege value given its name */
930 NTSTATUS
rpccli_lsa_lookup_priv_value(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
931 POLICY_HND
*pol
, const char *name
, LUID
*luid
)
933 prs_struct qbuf
, rbuf
;
934 LSA_Q_LOOKUP_PRIV_VALUE q
;
935 LSA_R_LOOKUP_PRIV_VALUE r
;
941 /* Marshall data and send request */
943 init_lsa_q_lookup_priv_value(&q
, pol
, name
);
945 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_LOOKUPPRIVVALUE
,
948 lsa_io_q_lookup_priv_value
,
949 lsa_io_r_lookup_priv_value
,
950 NT_STATUS_UNSUCCESSFUL
);
954 if (!NT_STATUS_IS_OK(result
)) {
958 /* Return output parameters */
960 (*luid
).low
=r
.luid
.low
;
961 (*luid
).high
=r
.luid
.high
;
968 /** Query LSA security object */
970 NTSTATUS
rpccli_lsa_query_secobj(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
971 POLICY_HND
*pol
, uint32 sec_info
,
974 prs_struct qbuf
, rbuf
;
975 LSA_Q_QUERY_SEC_OBJ q
;
976 LSA_R_QUERY_SEC_OBJ r
;
982 /* Marshall data and send request */
984 init_q_query_sec_obj(&q
, pol
, sec_info
);
986 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_QUERYSECOBJ
,
989 lsa_io_q_query_sec_obj
,
990 lsa_io_r_query_sec_obj
,
991 NT_STATUS_UNSUCCESSFUL
);
995 if (!NT_STATUS_IS_OK(result
)) {
999 /* Return output parameters */
1010 /* Enumerate account rights This is similar to enum_privileges but
1011 takes a SID directly, avoiding the open_account call.
1014 NTSTATUS
rpccli_lsa_enum_account_rights(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
1015 POLICY_HND
*pol
, DOM_SID
*sid
,
1016 uint32
*count
, char ***priv_names
)
1018 prs_struct qbuf
, rbuf
;
1019 LSA_Q_ENUM_ACCT_RIGHTS q
;
1020 LSA_R_ENUM_ACCT_RIGHTS r
;
1023 fstring
*privileges
;
1029 /* Marshall data and send request */
1030 init_q_enum_acct_rights(&q
, pol
, 2, sid
);
1032 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_ENUMACCTRIGHTS
,
1035 lsa_io_q_enum_acct_rights
,
1036 lsa_io_r_enum_acct_rights
,
1037 NT_STATUS_UNSUCCESSFUL
);
1041 if (!NT_STATUS_IS_OK(result
)) {
1051 privileges
= TALLOC_ARRAY( mem_ctx
, fstring
, *count
);
1052 names
= TALLOC_ARRAY( mem_ctx
, char *, *count
);
1054 for ( i
=0; i
<*count
; i
++ ) {
1055 UNISTR4
*uni_string
= &r
.rights
->strings
[i
];
1057 if ( !uni_string
->string
)
1060 rpcstr_pull( privileges
[i
], uni_string
->string
->buffer
, sizeof(privileges
[i
]), -1, STR_TERMINATE
);
1062 /* now copy to the return array */
1063 names
[i
] = talloc_strdup( mem_ctx
, privileges
[i
] );
1066 *priv_names
= names
;
1075 /* add account rights to an account. */
1077 NTSTATUS
rpccli_lsa_add_account_rights(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
1078 POLICY_HND
*pol
, DOM_SID sid
,
1079 uint32 count
, const char **privs_name
)
1081 prs_struct qbuf
, rbuf
;
1082 LSA_Q_ADD_ACCT_RIGHTS q
;
1083 LSA_R_ADD_ACCT_RIGHTS r
;
1089 /* Marshall data and send request */
1090 init_q_add_acct_rights(&q
, pol
, &sid
, count
, privs_name
);
1092 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_ADDACCTRIGHTS
,
1095 lsa_io_q_add_acct_rights
,
1096 lsa_io_r_add_acct_rights
,
1097 NT_STATUS_UNSUCCESSFUL
);
1101 if (!NT_STATUS_IS_OK(result
)) {
1110 /* remove account rights for an account. */
1112 NTSTATUS
rpccli_lsa_remove_account_rights(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
1113 POLICY_HND
*pol
, DOM_SID sid
, BOOL removeall
,
1114 uint32 count
, const char **privs_name
)
1116 prs_struct qbuf
, rbuf
;
1117 LSA_Q_REMOVE_ACCT_RIGHTS q
;
1118 LSA_R_REMOVE_ACCT_RIGHTS r
;
1124 /* Marshall data and send request */
1125 init_q_remove_acct_rights(&q
, pol
, &sid
, removeall
?1:0, count
, privs_name
);
1127 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_REMOVEACCTRIGHTS
,
1130 lsa_io_q_remove_acct_rights
,
1131 lsa_io_r_remove_acct_rights
,
1132 NT_STATUS_UNSUCCESSFUL
);
1136 if (!NT_STATUS_IS_OK(result
)) {
1147 /** An example of how to use the routines in this file. Fetch a DOMAIN
1148 sid. Does complete cli setup / teardown anonymously. */
1150 BOOL
fetch_domain_sid( char *domain
, char *remote_machine
, DOM_SID
*psid
)
1152 extern pstring global_myname
;
1153 struct cli_state cli
;
1159 if(cli_initialise(&cli
) == False
) {
1160 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
1164 if(!resolve_name( remote_machine
, &cli
.dest_ip
, 0x20)) {
1165 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine
));
1169 if (!cli_connect(&cli
, remote_machine
, &cli
.dest_ip
)) {
1170 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
1171 machine %s. Error was : %s.\n", remote_machine
, cli_errstr(&cli
) ));
1175 if (!attempt_netbios_session_request(&cli
, global_myname
, remote_machine
, &cli
.dest_ip
)) {
1176 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
1181 cli
.protocol
= PROTOCOL_NT1
;
1183 if (!cli_negprot(&cli
)) {
1184 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
1185 Error was : %s.\n", remote_machine
, cli_errstr(&cli
) ));
1189 if (cli
.protocol
!= PROTOCOL_NT1
) {
1190 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
1196 * Do an anonymous session setup.
1199 if (!cli_session_setup(&cli
, "", "", 0, "", 0, "")) {
1200 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
1201 Error was : %s.\n", remote_machine
, cli_errstr(&cli
) ));
1205 if (!(cli
.sec_mode
& NEGOTIATE_SECURITY_USER_LEVEL
)) {
1206 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
1211 if (!cli_send_tconX(&cli
, "IPC$", "IPC", "", 1)) {
1212 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
1213 Error was : %s.\n", remote_machine
, cli_errstr(&cli
) ));
1217 /* Fetch domain sid */
1219 if (!cli_nt_session_open(&cli
, PI_LSARPC
)) {
1220 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
1224 result
= cli_lsa_open_policy(&cli
, cli
.mem_ctx
, True
, SEC_RIGHTS_QUERY_VALUE
, &lsa_pol
);
1225 if (!NT_STATUS_IS_OK(result
)) {
1226 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
1227 nt_errstr(result
) ));
1231 result
= cli_lsa_query_info_policy(&cli
, cli
.mem_ctx
, &lsa_pol
, 5, domain
, psid
);
1232 if (!NT_STATUS_IS_OK(result
)) {
1233 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
1234 nt_errstr(result
) ));
1248 NTSTATUS
rpccli_lsa_open_trusted_domain(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
1249 POLICY_HND
*pol
, DOM_SID
*dom_sid
, uint32 access_mask
,
1250 POLICY_HND
*trustdom_pol
)
1252 prs_struct qbuf
, rbuf
;
1253 LSA_Q_OPEN_TRUSTED_DOMAIN q
;
1254 LSA_R_OPEN_TRUSTED_DOMAIN r
;
1260 /* Initialise input parameters */
1262 init_lsa_q_open_trusted_domain(&q
, pol
, dom_sid
, access_mask
);
1264 /* Marshall data and send request */
1266 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_OPENTRUSTDOM
,
1269 lsa_io_q_open_trusted_domain
,
1270 lsa_io_r_open_trusted_domain
,
1271 NT_STATUS_UNSUCCESSFUL
);
1273 /* Return output parameters */
1277 if (NT_STATUS_IS_OK(result
)) {
1278 *trustdom_pol
= r
.handle
;
1284 NTSTATUS
rpccli_lsa_query_trusted_domain_info(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
1287 LSA_TRUSTED_DOMAIN_INFO
**info
)
1289 prs_struct qbuf
, rbuf
;
1290 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO q
;
1291 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r
;
1292 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1297 /* Marshall data and send request */
1299 init_q_query_trusted_domain_info(&q
, pol
, info_class
);
1301 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_QUERYTRUSTDOMINFO
,
1304 lsa_io_q_query_trusted_domain_info
,
1305 lsa_io_r_query_trusted_domain_info
,
1306 NT_STATUS_UNSUCCESSFUL
);
1310 if (!NT_STATUS_IS_OK(result
)) {
1320 NTSTATUS
rpccli_lsa_open_trusted_domain_by_name(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
1321 POLICY_HND
*pol
, const char *name
, uint32 access_mask
,
1322 POLICY_HND
*trustdom_pol
)
1324 prs_struct qbuf
, rbuf
;
1325 LSA_Q_OPEN_TRUSTED_DOMAIN_BY_NAME q
;
1326 LSA_R_OPEN_TRUSTED_DOMAIN_BY_NAME r
;
1332 /* Initialise input parameters */
1334 init_lsa_q_open_trusted_domain_by_name(&q
, pol
, name
, access_mask
);
1336 /* Marshall data and send request */
1338 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_OPENTRUSTDOMBYNAME
,
1341 lsa_io_q_open_trusted_domain_by_name
,
1342 lsa_io_r_open_trusted_domain_by_name
,
1343 NT_STATUS_UNSUCCESSFUL
);
1345 /* Return output parameters */
1349 if (NT_STATUS_IS_OK(result
)) {
1350 *trustdom_pol
= r
.handle
;
1357 NTSTATUS
rpccli_lsa_query_trusted_domain_info_by_sid(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
1359 uint16 info_class
, DOM_SID
*dom_sid
,
1360 LSA_TRUSTED_DOMAIN_INFO
**info
)
1362 prs_struct qbuf
, rbuf
;
1363 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_SID q
;
1364 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r
;
1365 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1370 /* Marshall data and send request */
1372 init_q_query_trusted_domain_info_by_sid(&q
, pol
, info_class
, dom_sid
);
1374 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_QUERYTRUSTDOMINFOBYSID
,
1377 lsa_io_q_query_trusted_domain_info_by_sid
,
1378 lsa_io_r_query_trusted_domain_info
,
1379 NT_STATUS_UNSUCCESSFUL
);
1383 if (!NT_STATUS_IS_OK(result
)) {
1394 NTSTATUS
rpccli_lsa_query_trusted_domain_info_by_name(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
1396 uint16 info_class
, const char *domain_name
,
1397 LSA_TRUSTED_DOMAIN_INFO
**info
)
1399 prs_struct qbuf
, rbuf
;
1400 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_NAME q
;
1401 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r
;
1402 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1407 /* Marshall data and send request */
1409 init_q_query_trusted_domain_info_by_name(&q
, pol
, info_class
, domain_name
);
1411 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_QUERYTRUSTDOMINFOBYNAME
,
1414 lsa_io_q_query_trusted_domain_info_by_name
,
1415 lsa_io_r_query_trusted_domain_info
,
1416 NT_STATUS_UNSUCCESSFUL
);
1420 if (!NT_STATUS_IS_OK(result
)) {
1431 NTSTATUS
cli_lsa_query_domain_info_policy(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
1433 uint16 info_class
, LSA_DOM_INFO_UNION
**info
)
1435 prs_struct qbuf
, rbuf
;
1436 LSA_Q_QUERY_DOM_INFO_POLICY q
;
1437 LSA_R_QUERY_DOM_INFO_POLICY r
;
1438 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1443 /* Marshall data and send request */
1445 init_q_query_dom_info(&q
, pol
, info_class
);
1447 CLI_DO_RPC( cli
, mem_ctx
, PI_LSARPC
, LSA_QUERYDOMINFOPOL
,
1450 lsa_io_q_query_dom_info
,
1451 lsa_io_r_query_dom_info
,
1452 NT_STATUS_UNSUCCESSFUL
);
1456 if (!NT_STATUS_IS_OK(result
)) {