$(LIBMSRPC_OBJ) $(IDMAP_OBJ) \
$(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) $(POPT_LIB_OBJ) \
$(SMBLDAP_OBJ) $(DCUTIL_OBJ) $(SERVER_MUTEX_OBJ) \
- $(AFS_OBJ) $(AFS_SETTOKEN_OBJ) $(REGFIO_OBJ) $(READLINE_OBJ)
+ $(AFS_OBJ) $(AFS_SETTOKEN_OBJ) $(REGFIO_OBJ) $(READLINE_OBJ) \
+ rpcclient/display_sec.o
CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
$(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(SECRETS_OBJ)
struct rpc_pipe_client *pipe_hnd = NULL;
/*this number taken from rpcclient/cmd_samr.c, I think it is the only supported level*/
- uint16 info_level = 4;
+ uint32 sec_info = DACL_SECURITY_INFORMATION;
SEC_DESC_BUF *sec_out = NULL;
return CAC_FAILURE;
}
- hnd->status = rpccli_samr_query_sec_obj(pipe_hnd, mem_ctx, op->in.pol, info_level, mem_ctx, &sec_out);
+ hnd->status = rpccli_samr_query_sec_obj(pipe_hnd, mem_ctx, op->in.pol, sec_info, mem_ctx, &sec_out);
if(!NT_STATUS_IS_OK(hnd->status))
return CAC_FAILURE;
/* Query user security object */
NTSTATUS rpccli_samr_query_sec_obj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *user_pol, uint16 switch_value,
+ POLICY_HND *user_pol, uint32 sec_info,
TALLOC_CTX *ctx, SEC_DESC_BUF **sec_desc_buf)
{
prs_struct qbuf, rbuf;
/* Marshall data and send request */
- init_samr_q_query_sec_obj(&q, user_pol, switch_value);
+ init_samr_q_query_sec_obj(&q, user_pol, sec_info);
CLI_DO_RPC(cli, mem_ctx, PI_SAMR, SAMR_QUERY_SEC_OBJECT,
q, r,
return result;
}
+/* Set user security object */
+
+NTSTATUS rpccli_samr_set_sec_obj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
+ POLICY_HND *user_pol, uint32 sec_info,
+ SEC_DESC_BUF *sec_desc_buf)
+{
+ prs_struct qbuf, rbuf;
+ SAMR_Q_SET_SEC_OBJ q;
+ SAMR_R_SET_SEC_OBJ r;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+
+ DEBUG(10,("cli_samr_set_sec_obj\n"));
+
+ ZERO_STRUCT(q);
+ ZERO_STRUCT(r);
+
+ /* Marshall data and send request */
+
+ init_samr_q_set_sec_obj(&q, user_pol, sec_info, sec_desc_buf);
+
+ CLI_DO_RPC(cli, mem_ctx, PI_SAMR, SAMR_SET_SEC_OBJECT,
+ q, r,
+ qbuf, rbuf,
+ samr_io_q_set_sec_obj,
+ samr_io_r_set_sec_obj,
+ NT_STATUS_UNSUCCESSFUL);
+
+ /* Return output parameters */
+
+ result = r.status;
+
+ return result;
+}
+
+
/* Get domain password info */
NTSTATUS rpccli_samr_get_dom_pwinfo(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
return True;
}
+/*******************************************************************
+reads or writes a structure.
+********************************************************************/
+
+void init_samr_q_set_sec_obj(SAMR_Q_SET_SEC_OBJ * q_u,
+ POLICY_HND *pol, uint32 sec_info, SEC_DESC_BUF *buf)
+{
+ DEBUG(5, ("samr_init_samr_q_set_sec_obj\n"));
+
+ q_u->pol = *pol;
+ q_u->sec_info = sec_info;
+ q_u->buf = buf;
+}
+
+
/*******************************************************************
reads or writes a SAMR_R_SET_SEC_OBJ structure.
********************************************************************/
{
POLICY_HND connect_pol, domain_pol, user_pol, *pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- uint32 info_level = 4;
+ uint32 sec_info = DACL_SECURITY_INFORMATION;
fstring server;
uint32 user_rid = 0;
TALLOC_CTX *ctx = NULL;
ctx=talloc_init("cmd_samr_query_sec_obj");
- if ((argc < 1) || (argc > 2)) {
- printf("Usage: %s [rid|-d]\n", argv[0]);
+ if ((argc < 1) || (argc > 3)) {
+ printf("Usage: %s [rid|-d] [sec_info]\n", argv[0]);
printf("\tSpecify rid for security on user, -d for security on domain\n");
return NT_STATUS_OK;
}
else
sscanf(argv[1], "%i", &user_rid);
}
+
+ if (argc == 3) {
+ sec_info = atoi(argv[2]);
+ }
slprintf(server, sizeof(fstring)-1, "\\\\%s", cli->cli->desthost);
strupper_m(server);
/* Query SAM security object */
- result = rpccli_samr_query_sec_obj(cli, mem_ctx, pol, info_level, ctx,
+ result = rpccli_samr_query_sec_obj(cli, mem_ctx, pol, sec_info, ctx,
&sec_desc_buf);
if (!NT_STATUS_IS_OK(result))
goto done;
display_sec_desc(sec_desc_buf->sec);
-
+
rpccli_samr_close(cli, mem_ctx, &user_pol);
rpccli_samr_close(cli, mem_ctx, &domain_pol);
rpccli_samr_close(cli, mem_ctx, &connect_pol);
}
+void display_acl_type(uint16 type)
+{
+ static fstring typestr="";
+
+ typestr[0] = 0;
+
+ if (type & SEC_DESC_OWNER_DEFAULTED) /* 0x0001 */
+ fstrcat(typestr, "SEC_DESC_OWNER_DEFAULTED ");
+ if (type & SEC_DESC_GROUP_DEFAULTED) /* 0x0002 */
+ fstrcat(typestr, "SEC_DESC_GROUP_DEFAULTED ");
+ if (type & SEC_DESC_DACL_PRESENT) /* 0x0004 */
+ fstrcat(typestr, "SEC_DESC_DACL_PRESENT ");
+ if (type & SEC_DESC_DACL_DEFAULTED) /* 0x0008 */
+ fstrcat(typestr, "SEC_DESC_DACL_DEFAULTED ");
+ if (type & SEC_DESC_SACL_PRESENT) /* 0x0010 */
+ fstrcat(typestr, "SEC_DESC_SACL_PRESENT ");
+ if (type & SEC_DESC_SACL_DEFAULTED) /* 0x0020 */
+ fstrcat(typestr, "SEC_DESC_SACL_DEFAULTED ");
+ if (type & SEC_DESC_DACL_TRUSTED) /* 0x0040 */
+ fstrcat(typestr, "SEC_DESC_DACL_TRUSTED ");
+ if (type & SEC_DESC_SERVER_SECURITY) /* 0x0080 */
+ fstrcat(typestr, "SEC_DESC_SERVER_SECURITY ");
+ if (type & 0x0100) fstrcat(typestr, "0x0100 ");
+ if (type & 0x0200) fstrcat(typestr, "0x0200 ");
+ if (type & 0x0400) fstrcat(typestr, "0x0400 ");
+ if (type & 0x0800) fstrcat(typestr, "0x0800 ");
+ if (type & 0x1000) fstrcat(typestr, "0x1000 ");
+ if (type & 0x2000) fstrcat(typestr, "0x2000 ");
+ if (type & 0x4000) fstrcat(typestr, "0x4000 ");
+ if (type & SEC_DESC_SELF_RELATIVE) /* 0x8000 */
+ fstrcat(typestr, "SEC_DESC_SELF_RELATIVE ");
+
+ printf("type: 0x%04x: %s\n", type, typestr);
+}
+
/****************************************************************************
display sec_desc structure
****************************************************************************/
{
fstring sid_str;
+ if (!sec) {
+ printf("NULL\n");
+ return;
+ }
+
+ printf("revision: %d\n", sec->revision);
+ display_acl_type(sec->type);
+
if (sec->sacl) {
printf("SACL\n");
display_sec_acl(sec->sacl);
};
-/**
- * The display-functions for Security-Descriptors were taken from rpcclient
- *
- * They reside here for debugging purpose and should
- * possibly be removed later on
- *
- **/
-
-/****************************************************************************
- Convert a security permissions into a string.
-****************************************************************************/
-
-char *get_sec_mask_str(uint32 type)
-{
- static fstring typestr="";
-
- typestr[0] = 0;
-
- if (type & GENERIC_ALL_ACCESS)
- fstrcat(typestr, "Generic all access ");
- if (type & GENERIC_EXECUTE_ACCESS)
- fstrcat(typestr, "Generic execute access ");
- if (type & GENERIC_WRITE_ACCESS)
- fstrcat(typestr, "Generic write access ");
- if (type & GENERIC_READ_ACCESS)
- fstrcat(typestr, "Generic read access ");
- if (type & MAXIMUM_ALLOWED_ACCESS)
- fstrcat(typestr, "MAXIMUM_ALLOWED_ACCESS ");
- if (type & SYSTEM_SECURITY_ACCESS)
- fstrcat(typestr, "SYSTEM_SECURITY_ACCESS ");
- if (type & SYNCHRONIZE_ACCESS)
- fstrcat(typestr, "SYNCHRONIZE_ACCESS ");
- if (type & WRITE_OWNER_ACCESS)
- fstrcat(typestr, "WRITE_OWNER_ACCESS ");
- if (type & WRITE_DAC_ACCESS)
- fstrcat(typestr, "WRITE_DAC_ACCESS ");
- if (type & READ_CONTROL_ACCESS)
- fstrcat(typestr, "READ_CONTROL_ACCESS ");
- if (type & DELETE_ACCESS)
- fstrcat(typestr, "DELETE_ACCESS ");
-
- printf("\t\tSpecific bits: 0x%lx\n", (unsigned long)type&SPECIFIC_RIGHTS_MASK);
-
- return typestr;
-}
-
-/****************************************************************************
- Display sec_ace structure.
- ****************************************************************************/
-
-void display_sec_ace(SEC_ACE *ace)
-{
- fstring sid_str;
-
- printf("\tACE\n\t\ttype: ");
- switch (ace->type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED:
- printf("ACCESS ALLOWED");
- break;
- case SEC_ACE_TYPE_ACCESS_DENIED:
- printf("ACCESS DENIED");
- break;
- case SEC_ACE_TYPE_SYSTEM_AUDIT:
- printf("SYSTEM AUDIT");
- break;
- case SEC_ACE_TYPE_SYSTEM_ALARM:
- printf("SYSTEM ALARM");
- break;
- default:
- printf("????");
- break;
- }
- printf(" (%d) flags: %d\n", ace->type, ace->flags);
- printf("\t\tPermissions: 0x%x: %s\n", ace->info.mask, get_sec_mask_str(ace->info.mask));
-
- sid_to_string(sid_str, &ace->trustee);
- printf("\t\tSID: %s\n\n", sid_str);
-}
-
-/****************************************************************************
- Display sec_acl structure.
- ****************************************************************************/
-
-void display_sec_acl(SEC_ACL *sec_acl)
-{
- int i;
-
- printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
- sec_acl->num_aces, sec_acl->revision);
- printf("\t---\n");
-
- if (sec_acl->size != 0 && sec_acl->num_aces != 0)
- for (i = 0; i < sec_acl->num_aces; i++)
- display_sec_ace(&sec_acl->ace[i]);
-
-}
-
-/****************************************************************************
- Display sec_desc structure.
- ****************************************************************************/
-
-void display_sec_desc(SEC_DESC *sec)
-{
- fstring sid_str;
-
- if (sec == NULL)
- return;
-
- if (sec->sacl) {
- printf("SACL\n");
- display_sec_acl(sec->sacl);
- }
-
- if (sec->dacl) {
- printf("DACL\n");
- display_sec_acl(sec->dacl);
- }
-
- if (sec->owner_sid) {
- sid_to_string(sid_str, sec->owner_sid);
- printf("\tOwner SID:\t%s\n", sid_str);
- }
-
- if (sec->grp_sid) {
- sid_to_string(sid_str, sec->grp_sid);
- printf("\tParent SID:\t%s\n", sid_str);
- }
-}
-
-
/**
* This display-printdriver-functions was borrowed from rpcclient/cmd_spoolss.c.
* It is here for debugging purpose and should be removed later on.