1 /* packet-dcerpc-samr.c
2 * Routines for SMB \PIPE\samr packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 Added all command dissectors Ronnie Sahlberg
6 * $Id: packet-dcerpc-samr.c,v 1.70 2003/01/31 04:18:08 tpot Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
35 #include "packet-dcerpc.h"
36 #include "packet-dcerpc-nt.h"
37 #include "packet-dcerpc-samr.h"
38 #include "packet-dcerpc-lsa.h"
39 #include "smb.h" /* for "NT_errors[]" */
40 #include "packet-smb-common.h"
41 #include "crypt-md4.h"
42 #include "crypt-rc4.h"
44 #ifdef NEED_SNPRINTF_H
45 # include "snprintf.h"
48 static int proto_dcerpc_samr = -1;
50 static int hf_samr_opnum = -1;
51 static int hf_samr_hnd = -1;
52 static int hf_samr_group = -1;
53 static int hf_samr_rid = -1;
54 static int hf_samr_type = -1;
55 static int hf_samr_alias = -1;
56 static int hf_samr_rid_attrib = -1;
57 static int hf_samr_rc = -1;
58 static int hf_samr_index = -1;
59 static int hf_samr_count = -1;
61 static int hf_samr_level = -1;
62 static int hf_samr_start_idx = -1;
63 static int hf_samr_max_entries = -1;
64 static int hf_samr_entries = -1;
65 static int hf_samr_pref_maxsize = -1;
66 static int hf_samr_total_size = -1;
67 static int hf_samr_ret_size = -1;
68 static int hf_samr_alias_name = -1;
69 static int hf_samr_group_name = -1;
70 static int hf_samr_acct_name = -1;
71 static int hf_samr_full_name = -1;
72 static int hf_samr_acct_desc = -1;
73 static int hf_samr_home = -1;
74 static int hf_samr_home_drive = -1;
75 static int hf_samr_script = -1;
76 static int hf_samr_workstations = -1;
77 static int hf_samr_profile = -1;
78 static int hf_samr_server = -1;
79 static int hf_samr_domain = -1;
80 static int hf_samr_controller = -1;
81 static int hf_samr_access = -1;
82 static int hf_samr_access_granted = -1;
83 static int hf_samr_mask = -1;
84 static int hf_samr_crypt_password = -1;
85 static int hf_samr_crypt_hash = -1;
86 static int hf_samr_lm_change = -1;
87 static int hf_samr_lm_passchange_block = -1;
88 static int hf_samr_nt_passchange_block = -1;
89 static int hf_samr_nt_passchange_block_decrypted = -1;
90 static int hf_samr_nt_passchange_block_newpass = -1;
91 static int hf_samr_nt_passchange_block_newpass_len = -1;
92 static int hf_samr_nt_passchange_block_pseudorandom = -1;
93 static int hf_samr_lm_verifier = -1;
94 static int hf_samr_nt_verifier = -1;
95 static int hf_samr_attrib = -1;
96 static int hf_samr_max_pwd_age = -1;
97 static int hf_samr_min_pwd_age = -1;
98 static int hf_samr_min_pwd_len = -1;
99 static int hf_samr_pwd_history_len = -1;
100 static int hf_samr_num_users = -1;
101 static int hf_samr_num_groups = -1;
102 static int hf_samr_num_aliases = -1;
103 static int hf_samr_resume_hnd = -1;
104 static int hf_samr_bad_pwd_count = -1;
105 static int hf_samr_logon_count = -1;
106 static int hf_samr_logon_time = -1;
107 static int hf_samr_logoff_time = -1;
108 static int hf_samr_kickoff_time = -1;
109 static int hf_samr_pwd_last_set_time = -1;
110 static int hf_samr_pwd_can_change_time = -1;
111 static int hf_samr_pwd_must_change_time = -1;
112 static int hf_samr_acct_expiry_time = -1;
113 static int hf_samr_country = -1;
114 static int hf_samr_codepage = -1;
115 static int hf_samr_comment = -1;
116 static int hf_samr_parameters = -1;
117 static int hf_samr_nt_pwd_set = -1;
118 static int hf_samr_lm_pwd_set = -1;
119 static int hf_samr_pwd_expired = -1;
120 static int hf_samr_revision = -1;
121 static int hf_samr_divisions = -1;
122 static int hf_samr_info_type = -1;
124 static int hf_samr_unknown_hyper = -1;
125 static int hf_samr_unknown_long = -1;
126 static int hf_samr_unknown_short = -1;
127 static int hf_samr_unknown_char = -1;
128 static int hf_samr_unknown_string = -1;
129 static int hf_samr_unknown_time = -1;
131 /* these are used by functions in packet-dcerpc-nt.c */
132 int hf_nt_str_len = -1;
133 int hf_nt_str_off = -1;
134 int hf_nt_str_max_len = -1;
135 int hf_nt_string_length = -1;
136 int hf_nt_string_size = -1;
137 static int hf_nt_acct_ctrl = -1;
138 static int hf_nt_acb_disabled = -1;
139 static int hf_nt_acb_homedirreq = -1;
140 static int hf_nt_acb_pwnotreq = -1;
141 static int hf_nt_acb_tempdup = -1;
142 static int hf_nt_acb_normal = -1;
143 static int hf_nt_acb_mns = -1;
144 static int hf_nt_acb_domtrust = -1;
145 static int hf_nt_acb_wstrust = -1;
146 static int hf_nt_acb_svrtrust = -1;
147 static int hf_nt_acb_pwnoexp = -1;
148 static int hf_nt_acb_autolock = -1;
150 static gint ett_dcerpc_samr = -1;
151 static gint ett_samr_user_dispinfo_1 = -1;
152 static gint ett_samr_user_dispinfo_1_array = -1;
153 static gint ett_samr_user_dispinfo_2 = -1;
154 static gint ett_samr_user_dispinfo_2_array = -1;
155 static gint ett_samr_group_dispinfo = -1;
156 static gint ett_samr_group_dispinfo_array = -1;
157 static gint ett_samr_ascii_dispinfo = -1;
158 static gint ett_samr_ascii_dispinfo_array = -1;
159 static gint ett_samr_display_info = -1;
160 static gint ett_samr_password_info = -1;
161 static gint ett_samr_server = -1;
162 static gint ett_samr_user_group = -1;
163 static gint ett_samr_user_group_array = -1;
164 static gint ett_samr_alias_info = -1;
165 static gint ett_samr_group_info = -1;
166 static gint ett_samr_domain_info_1 = -1;
167 static gint ett_samr_domain_info_2 = -1;
168 static gint ett_samr_domain_info_8 = -1;
169 static gint ett_samr_replication_status = -1;
170 static gint ett_samr_domain_info_11 = -1;
171 static gint ett_samr_domain_info_13 = -1;
172 static gint ett_samr_domain_info = -1;
173 static gint ett_samr_sid_pointer = -1;
174 static gint ett_samr_sid_array = -1;
175 static gint ett_samr_index_array = -1;
176 static gint ett_samr_idx_and_name = -1;
177 static gint ett_samr_idx_and_name_array = -1;
178 static gint ett_samr_logon_hours = -1;
179 static gint ett_samr_logon_hours_hours = -1;
180 static gint ett_samr_user_info_1 = -1;
181 static gint ett_samr_user_info_2 = -1;
182 static gint ett_samr_user_info_3 = -1;
183 static gint ett_samr_user_info_5 = -1;
184 static gint ett_samr_user_info_6 = -1;
185 static gint ett_samr_user_info_18 = -1;
186 static gint ett_samr_user_info_19 = -1;
187 static gint ett_samr_buffer_buffer = -1;
188 static gint ett_samr_buffer = -1;
189 static gint ett_samr_user_info_21 = -1;
190 static gint ett_samr_user_info_22 = -1;
191 static gint ett_samr_user_info_23 = -1;
192 static gint ett_samr_user_info_24 = -1;
193 static gint ett_samr_user_info = -1;
194 static gint ett_samr_member_array_types = -1;
195 static gint ett_samr_member_array_rids = -1;
196 static gint ett_samr_member_array = -1;
197 static gint ett_samr_names = -1;
198 static gint ett_samr_rids = -1;
199 static gint ett_nt_acct_ctrl = -1;
200 static gint ett_samr_sid_and_attributes_array = -1;
201 static gint ett_samr_sid_and_attributes = -1;
202 #ifdef SAMR_UNUSED_HANDLES
203 static gint ett_samr_hnd = -1;
206 static e_uuid_t uuid_dcerpc_samr = {
207 0x12345778, 0x1234, 0xabcd,
208 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xac}
211 static guint16 ver_dcerpc_samr = 1;
213 /* Configuration variables */
214 static char *nt_password = NULL;
216 /* Dissect connect specific access rights */
218 static gint hf_access_connect_unknown_01 = -1;
219 static gint hf_access_connect_shutdown_server = -1;
220 static gint hf_access_connect_unknown_04 = -1;
221 static gint hf_access_connect_unknown_08 = -1;
222 static gint hf_access_connect_enum_domains = -1;
223 static gint hf_access_connect_open_domain = -1;
226 specific_rights_connect(tvbuff_t *tvb, gint offset, proto_tree *tree,
229 proto_tree_add_boolean(
230 tree, hf_access_connect_open_domain,
231 tvb, offset, 4, access);
233 proto_tree_add_boolean(
234 tree, hf_access_connect_enum_domains,
235 tvb, offset, 4, access);
237 proto_tree_add_boolean(
238 tree, hf_access_connect_unknown_08,
239 tvb, offset, 4, access);
241 proto_tree_add_boolean(
242 tree, hf_access_connect_unknown_04,
243 tvb, offset, 4, access);
245 proto_tree_add_boolean(
246 tree, hf_access_connect_shutdown_server,
247 tvb, offset, 4, access);
249 proto_tree_add_boolean(
250 tree, hf_access_connect_unknown_01,
251 tvb, offset, 4, access);
254 /* Dissect domain specific access rights */
256 static gint hf_access_domain_lookup_info1 = -1;
257 static gint hf_access_domain_set_info1 = -1;
258 static gint hf_access_domain_lookup_info2 = -1;
259 static gint hf_access_domain_set_info2 = -1;
260 static gint hf_access_domain_create_user = -1;
261 static gint hf_access_domain_create_group = -1;
262 static gint hf_access_domain_create_alias = -1;
263 static gint hf_access_domain_unknown_80 = -1;
264 static gint hf_access_domain_enum_accounts = -1;
265 static gint hf_access_domain_open_account = -1;
266 static gint hf_access_domain_set_info3 = -1;
269 specific_rights_domain(tvbuff_t *tvb, gint offset, proto_tree *tree,
272 proto_tree_add_boolean(
273 tree, hf_access_domain_set_info3,
274 tvb, offset, 4, access);
276 proto_tree_add_boolean(
277 tree, hf_access_domain_open_account,
278 tvb, offset, 4, access);
280 proto_tree_add_boolean(
281 tree, hf_access_domain_enum_accounts,
282 tvb, offset, 4, access);
284 proto_tree_add_boolean(
285 tree, hf_access_domain_unknown_80,
286 tvb, offset, 4, access);
288 proto_tree_add_boolean(
289 tree, hf_access_domain_create_alias,
290 tvb, offset, 4, access);
292 proto_tree_add_boolean(
293 tree, hf_access_domain_create_group,
294 tvb, offset, 4, access);
296 proto_tree_add_boolean(
297 tree, hf_access_domain_create_user,
298 tvb, offset, 4, access);
300 proto_tree_add_boolean(
301 tree, hf_access_domain_set_info2,
302 tvb, offset, 4, access);
304 proto_tree_add_boolean(
305 tree, hf_access_domain_lookup_info2,
306 tvb, offset, 4, access);
308 proto_tree_add_boolean(
309 tree, hf_access_domain_set_info1,
310 tvb, offset, 4, access);
312 proto_tree_add_boolean(
313 tree, hf_access_domain_lookup_info1,
314 tvb, offset, 4, access);
317 /* Dissect user specific access rights */
319 static gint hf_access_user_get_name_etc = -1;
320 static gint hf_access_user_get_locale = -1;
321 static gint hf_access_user_get_loc_com = -1;
322 static gint hf_access_user_get_logoninfo = -1;
323 static gint hf_access_user_unknown_10 = -1;
324 static gint hf_access_user_set_attributes = -1;
325 static gint hf_access_user_change_password = -1;
326 static gint hf_access_user_set_password = -1;
327 static gint hf_access_user_get_groups = -1;
328 static gint hf_access_user_unknown_200 = -1;
329 static gint hf_access_user_unknown_400 = -1;
332 specific_rights_user(tvbuff_t *tvb, gint offset, proto_tree *tree,
335 proto_tree_add_boolean(
336 tree, hf_access_user_unknown_400,
337 tvb, offset, 4, access);
339 proto_tree_add_boolean(
340 tree, hf_access_user_unknown_200,
341 tvb, offset, 4, access);
343 proto_tree_add_boolean(
344 tree, hf_access_user_get_groups,
345 tvb, offset, 4, access);
347 proto_tree_add_boolean(
348 tree, hf_access_user_set_password,
349 tvb, offset, 4, access);
351 proto_tree_add_boolean(
352 tree, hf_access_user_change_password,
353 tvb, offset, 4, access);
355 proto_tree_add_boolean(
356 tree, hf_access_user_set_attributes,
357 tvb, offset, 4, access);
359 proto_tree_add_boolean(
360 tree, hf_access_user_unknown_10,
361 tvb, offset, 4, access);
363 proto_tree_add_boolean(
364 tree, hf_access_user_get_logoninfo,
365 tvb, offset, 4, access);
367 proto_tree_add_boolean(
368 tree, hf_access_user_get_loc_com,
369 tvb, offset, 4, access);
371 proto_tree_add_boolean(
372 tree, hf_access_user_get_locale,
373 tvb, offset, 4, access);
375 proto_tree_add_boolean(
376 tree, hf_access_user_get_name_etc,
377 tvb, offset, 4, access);
380 /* Dissect alias specific access rights */
382 static gint hf_access_alias_add_member = -1;
383 static gint hf_access_alias_remove_member = -1;
384 static gint hf_access_alias_get_members = -1;
385 static gint hf_access_alias_lookup_info = -1;
386 static gint hf_access_alias_set_info = -1;
389 specific_rights_alias(tvbuff_t *tvb, gint offset, proto_tree *tree,
392 proto_tree_add_boolean(
393 tree, hf_access_alias_set_info,
394 tvb, offset, 4, access);
396 proto_tree_add_boolean(
397 tree, hf_access_alias_lookup_info,
398 tvb, offset, 4, access);
400 proto_tree_add_boolean(
401 tree, hf_access_alias_get_members,
402 tvb, offset, 4, access);
404 proto_tree_add_boolean(
405 tree, hf_access_alias_remove_member,
406 tvb, offset, 4, access);
408 proto_tree_add_boolean(
409 tree, hf_access_alias_add_member,
410 tvb, offset, 4, access);
413 /* Dissect group specific access rights */
415 static gint hf_access_group_lookup_info = -1;
416 static gint hf_access_group_set_info = -1;
417 static gint hf_access_group_add_member = -1;
418 static gint hf_access_group_remove_member = -1;
419 static gint hf_access_group_get_members = -1;
422 specific_rights_group(tvbuff_t *tvb, gint offset, proto_tree *tree,
425 proto_tree_add_boolean(
426 tree, hf_access_group_get_members,
427 tvb, offset, 4, access);
429 proto_tree_add_boolean(
430 tree, hf_access_group_remove_member,
431 tvb, offset, 4, access);
433 proto_tree_add_boolean(
434 tree, hf_access_group_add_member,
435 tvb, offset, 4, access);
437 proto_tree_add_boolean(
438 tree, hf_access_group_set_info,
439 tvb, offset, 4, access);
441 proto_tree_add_boolean(
442 tree, hf_access_group_lookup_info,
443 tvb, offset, 4, access);
447 dissect_ndr_nt_SID(tvbuff_t *tvb, int offset, packet_info *pinfo,
448 proto_tree *tree, char *drep)
450 dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
451 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
454 if(di->conformant_run){
455 /* just a run to handle conformant arrays, no scalars to dissect */
459 /* the SID contains a conformant array, first we must eat
460 the 4-byte max_count before we can hand it off */
461 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
462 hf_samr_count, NULL);
464 offset = dissect_nt_sid(tvb, offset, tree, "Domain", &sid_str);
466 dcv->private_data = sid_str;
472 dissect_ndr_nt_SID_ptr(tvbuff_t *tvb, int offset,
473 packet_info *pinfo, proto_tree *tree,
476 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
477 dissect_ndr_nt_SID, NDR_POINTER_UNIQUE,
484 static const true_false_string tfs_nt_acb_disabled = {
485 "Account is DISABLED",
486 "Account is NOT disabled"
488 static const true_false_string tfs_nt_acb_homedirreq = {
489 "Homedir is REQUIRED",
490 "Homedir is NOT required"
492 static const true_false_string tfs_nt_acb_pwnotreq = {
493 "Password is NOT required",
494 "Password is REQUIRED"
496 static const true_false_string tfs_nt_acb_tempdup = {
497 "This is a TEMPORARY DUPLICATE account",
498 "This is NOT a temporary duplicate account"
500 static const true_false_string tfs_nt_acb_normal = {
501 "This is a NORMAL USER account",
502 "This is NOT a normal user account"
504 static const true_false_string tfs_nt_acb_mns = {
505 "This is a MNS account",
506 "This is NOT a mns account"
508 static const true_false_string tfs_nt_acb_domtrust = {
509 "This is a DOMAIN TRUST account",
510 "This is NOT a domain trust account"
512 static const true_false_string tfs_nt_acb_wstrust = {
513 "This is a WORKSTATION TRUST account",
514 "This is NOT a workstation trust account"
516 static const true_false_string tfs_nt_acb_svrtrust = {
517 "This is a SERVER TRUST account",
518 "This is NOT a server trust account"
520 static const true_false_string tfs_nt_acb_pwnoexp = {
521 "Passwords does NOT expire",
522 "Password will EXPIRE"
524 static const true_false_string tfs_nt_acb_autolock = {
525 "This account has been AUTO LOCKED",
526 "This account has NOT been auto locked"
529 dissect_ndr_nt_acct_ctrl(tvbuff_t *tvb, int offset, packet_info *pinfo,
530 proto_tree *parent_tree, char *drep)
533 proto_item *item = NULL;
534 proto_tree *tree = NULL;
536 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
537 hf_nt_acct_ctrl, &mask);
540 item = proto_tree_add_uint(parent_tree, hf_nt_acct_ctrl,
541 tvb, offset-4, 4, mask);
542 tree = proto_item_add_subtree(item, ett_nt_acct_ctrl);
545 proto_tree_add_boolean(tree, hf_nt_acb_autolock,
546 tvb, offset-4, 4, mask);
547 proto_tree_add_boolean(tree, hf_nt_acb_pwnoexp,
548 tvb, offset-4, 4, mask);
549 proto_tree_add_boolean(tree, hf_nt_acb_svrtrust,
550 tvb, offset-4, 4, mask);
551 proto_tree_add_boolean(tree, hf_nt_acb_wstrust,
552 tvb, offset-4, 4, mask);
553 proto_tree_add_boolean(tree, hf_nt_acb_domtrust,
554 tvb, offset-4, 4, mask);
555 proto_tree_add_boolean(tree, hf_nt_acb_mns,
556 tvb, offset-4, 4, mask);
557 proto_tree_add_boolean(tree, hf_nt_acb_normal,
558 tvb, offset-4, 4, mask);
559 proto_tree_add_boolean(tree, hf_nt_acb_tempdup,
560 tvb, offset-4, 4, mask);
561 proto_tree_add_boolean(tree, hf_nt_acb_pwnotreq,
562 tvb, offset-4, 4, mask);
563 proto_tree_add_boolean(tree, hf_nt_acb_homedirreq,
564 tvb, offset-4, 4, mask);
565 proto_tree_add_boolean(tree, hf_nt_acb_disabled,
566 tvb, offset-4, 4, mask);
572 /* above this line, just some general support routines which should be placed
573 in some more generic file common to all NT services dissectors
577 samr_dissect_open_user_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo,
578 proto_tree *tree, char *drep)
580 dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
581 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
584 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
585 hf_samr_hnd, NULL, FALSE, FALSE);
587 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
588 hf_samr_access, NULL);
590 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
593 if (check_col(pinfo->cinfo, COL_INFO))
594 col_append_fstr(pinfo->cinfo, COL_INFO, ", rid 0x%x", rid);
596 dcv->private_data = GINT_TO_POINTER(rid);
602 samr_dissect_open_user_reply(tvbuff_t *tvb, int offset,
603 packet_info *pinfo, proto_tree *tree,
606 dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
607 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
608 e_ctx_hnd policy_hnd;
609 guint32 rid = GPOINTER_TO_INT(dcv->private_data);
612 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
613 hf_samr_hnd, &policy_hnd, TRUE, FALSE);
616 pol_name = g_strdup_printf("OpenUser, rid 0x%x", rid);
618 pol_name = g_strdup("OpenUser handle");
620 dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
624 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
631 samr_dissect_pointer_long(tvbuff_t *tvb, int offset,
632 packet_info *pinfo, proto_tree *tree,
637 di=pinfo->private_data;
638 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
644 samr_dissect_pointer_STRING(tvbuff_t *tvb, int offset,
645 packet_info *pinfo, proto_tree *tree,
650 di=pinfo->private_data;
651 if(di->conformant_run){
652 /*just a run to handle conformant arrays, nothing to dissect */
656 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
662 samr_dissect_pointer_UNICODE_STRING(tvbuff_t *tvb, int offset,
663 packet_info *pinfo, proto_tree *tree,
668 di=pinfo->private_data;
669 if(di->conformant_run){
670 /*just a run to handle conformant arrays, nothing to dissect */
674 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
680 samr_dissect_pointer_short(tvbuff_t *tvb, int offset,
681 packet_info *pinfo, proto_tree *tree,
686 di=pinfo->private_data;
687 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
694 samr_dissect_query_dispinfo_rqst(tvbuff_t *tvb, int offset,
695 packet_info *pinfo, proto_tree *tree,
701 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
702 hf_samr_hnd, NULL, FALSE, FALSE);
704 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
705 hf_samr_level, &level);
706 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
707 hf_samr_start_idx, &start_idx);
708 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
709 hf_samr_max_entries, NULL);
710 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
711 hf_samr_pref_maxsize, NULL);
713 if (check_col(pinfo->cinfo, COL_INFO))
715 pinfo->cinfo, COL_INFO, ", level %d, start_idx %d",
722 samr_dissect_USER_DISPINFO_1(tvbuff_t *tvb, int offset,
723 packet_info *pinfo, proto_tree *parent_tree,
726 proto_item *item=NULL;
727 proto_tree *tree=NULL;
728 int old_offset=offset;
731 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
733 tree = proto_item_add_subtree(item, ett_samr_user_dispinfo_1);
736 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
737 hf_samr_index, NULL);
738 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
740 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
741 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
742 hf_samr_acct_name, 0);
743 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
744 hf_samr_full_name, 0);
745 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
746 hf_samr_acct_desc, 0);
748 proto_item_set_len(item, offset-old_offset);
753 samr_dissect_USER_DISPINFO_1_ARRAY_users(tvbuff_t *tvb, int offset,
754 packet_info *pinfo, proto_tree *tree,
757 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
758 samr_dissect_USER_DISPINFO_1);
764 samr_dissect_USER_DISPINFO_1_ARRAY (tvbuff_t *tvb, int offset,
765 packet_info *pinfo, proto_tree *parent_tree,
769 proto_item *item=NULL;
770 proto_tree *tree=NULL;
771 int old_offset=offset;
774 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
775 "User_DispInfo_1 Array");
776 tree = proto_item_add_subtree(item, ett_samr_user_dispinfo_1_array);
780 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
781 hf_samr_count, &count);
782 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
783 samr_dissect_USER_DISPINFO_1_ARRAY_users, NDR_POINTER_PTR,
784 "USER_DISPINFO_1_ARRAY", -1);
786 proto_item_set_len(item, offset-old_offset);
793 samr_dissect_USER_DISPINFO_2(tvbuff_t *tvb, int offset,
794 packet_info *pinfo, proto_tree *parent_tree,
797 proto_item *item=NULL;
798 proto_tree *tree=NULL;
799 int old_offset=offset;
802 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
804 tree = proto_item_add_subtree(item, ett_samr_user_dispinfo_2);
807 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
808 hf_samr_index, NULL);
809 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
811 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
812 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
813 hf_samr_acct_name, 0);
814 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
815 hf_samr_acct_desc, 0);
817 proto_item_set_len(item, offset-old_offset);
822 samr_dissect_USER_DISPINFO_2_ARRAY_users (tvbuff_t *tvb, int offset,
823 packet_info *pinfo, proto_tree *tree,
826 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
827 samr_dissect_USER_DISPINFO_2);
833 samr_dissect_USER_DISPINFO_2_ARRAY (tvbuff_t *tvb, int offset,
834 packet_info *pinfo, proto_tree *parent_tree,
838 proto_item *item=NULL;
839 proto_tree *tree=NULL;
840 int old_offset=offset;
843 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
844 "User_DispInfo_2 Array");
845 tree = proto_item_add_subtree(item, ett_samr_user_dispinfo_2_array);
849 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
850 hf_samr_count, &count);
851 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
852 samr_dissect_USER_DISPINFO_2_ARRAY_users, NDR_POINTER_PTR,
853 "USER_DISPINFO_2_ARRAY", -1);
855 proto_item_set_len(item, offset-old_offset);
864 samr_dissect_GROUP_DISPINFO(tvbuff_t *tvb, int offset,
865 packet_info *pinfo, proto_tree *parent_tree,
868 proto_item *item=NULL;
869 proto_tree *tree=NULL;
870 int old_offset=offset;
873 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
875 tree = proto_item_add_subtree(item, ett_samr_group_dispinfo);
879 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
880 hf_samr_index, NULL);
881 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
883 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
884 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
885 hf_samr_acct_name, 0);
886 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
887 hf_samr_acct_desc, 0);
889 proto_item_set_len(item, offset-old_offset);
894 samr_dissect_GROUP_DISPINFO_ARRAY_groups(tvbuff_t *tvb, int offset,
895 packet_info *pinfo, proto_tree *tree,
898 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
899 samr_dissect_GROUP_DISPINFO);
905 samr_dissect_GROUP_DISPINFO_ARRAY(tvbuff_t *tvb, int offset,
906 packet_info *pinfo, proto_tree *parent_tree,
910 proto_item *item=NULL;
911 proto_tree *tree=NULL;
912 int old_offset=offset;
915 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
916 "Group_DispInfo Array");
917 tree = proto_item_add_subtree(item, ett_samr_group_dispinfo_array);
920 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
921 hf_samr_count, &count);
922 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
923 samr_dissect_GROUP_DISPINFO_ARRAY_groups, NDR_POINTER_PTR,
924 "GROUP_DISPINFO_ARRAY", -1);
926 proto_item_set_len(item, offset-old_offset);
933 samr_dissect_ASCII_DISPINFO(tvbuff_t *tvb, int offset,
934 packet_info *pinfo, proto_tree *parent_tree,
937 proto_item *item=NULL;
938 proto_tree *tree=NULL;
939 int old_offset=offset;
942 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
944 tree = proto_item_add_subtree(item, ett_samr_ascii_dispinfo);
948 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
949 hf_samr_index, NULL);
950 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
952 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
953 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
955 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
958 proto_item_set_len(item, offset-old_offset);
963 samr_dissect_ASCII_DISPINFO_ARRAY_users(tvbuff_t *tvb, int offset,
964 packet_info *pinfo, proto_tree *tree,
967 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
968 samr_dissect_ASCII_DISPINFO);
974 samr_dissect_ASCII_DISPINFO_ARRAY(tvbuff_t *tvb, int offset,
975 packet_info *pinfo, proto_tree *parent_tree,
979 proto_item *item=NULL;
980 proto_tree *tree=NULL;
981 int old_offset=offset;
984 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
985 "Ascii_DispInfo Array");
986 tree = proto_item_add_subtree(item, ett_samr_ascii_dispinfo_array);
989 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
990 hf_samr_count, &count);
991 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
992 samr_dissect_ASCII_DISPINFO_ARRAY_users, NDR_POINTER_PTR,
993 "ACSII_DISPINFO_ARRAY", -1);
995 proto_item_set_len(item, offset-old_offset);
1001 samr_dissect_DISPLAY_INFO (tvbuff_t *tvb, int offset,
1002 packet_info *pinfo, proto_tree *parent_tree,
1005 proto_item *item=NULL;
1006 proto_tree *tree=NULL;
1007 int old_offset=offset;
1011 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
1013 tree = proto_item_add_subtree(item, ett_samr_display_info);
1016 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
1017 hf_samr_level, &level);
1020 offset = samr_dissect_USER_DISPINFO_1_ARRAY(
1021 tvb, offset, pinfo, tree, drep);
1024 offset = samr_dissect_USER_DISPINFO_2_ARRAY(
1025 tvb, offset, pinfo, tree, drep);
1028 offset = samr_dissect_GROUP_DISPINFO_ARRAY(
1029 tvb, offset, pinfo, tree, drep);
1032 offset = samr_dissect_ASCII_DISPINFO_ARRAY(
1033 tvb, offset, pinfo, tree, drep);
1036 offset = samr_dissect_ASCII_DISPINFO_ARRAY(
1037 tvb, offset, pinfo, tree, drep);
1041 proto_item_set_len(item, offset-old_offset);
1046 samr_dissect_query_dispinfo_reply(tvbuff_t *tvb, int offset,
1047 packet_info *pinfo, proto_tree *tree,
1050 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1051 samr_dissect_pointer_long, NDR_POINTER_REF,
1052 "Total Size", hf_samr_total_size);
1053 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1054 samr_dissect_pointer_long, NDR_POINTER_REF,
1055 "Returned Size", hf_samr_ret_size);
1056 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1057 samr_dissect_DISPLAY_INFO, NDR_POINTER_REF,
1058 "DISPLAY_INFO:", -1);
1059 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1066 samr_dissect_get_display_enumeration_index_rqst(tvbuff_t *tvb, int offset,
1073 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1074 hf_samr_hnd, NULL, FALSE, FALSE);
1076 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
1077 hf_samr_level, &level);
1079 if (check_col(pinfo->cinfo, COL_INFO))
1080 col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
1082 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
1089 samr_dissect_get_display_enumeration_index_reply(tvbuff_t *tvb, int offset,
1090 packet_info *pinfo, proto_tree *tree,
1093 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1094 samr_dissect_pointer_long, NDR_POINTER_REF,
1095 "Index", hf_samr_index);
1097 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1107 samr_dissect_PASSWORD_INFO(tvbuff_t *tvb, int offset,
1108 packet_info *pinfo, proto_tree *parent_tree,
1111 proto_item *item=NULL;
1112 proto_tree *tree=NULL;
1113 int old_offset=offset;
1115 ALIGN_TO_4_BYTES; /* strcture starts with short, but is aligned for longs */
1118 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
1120 tree = proto_item_add_subtree(item, ett_samr_password_info);
1124 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
1125 hf_samr_unknown_short, NULL);
1126 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
1127 hf_samr_unknown_long, NULL);
1129 proto_item_set_len(item, offset-old_offset);
1134 samr_dissect_get_usrdom_pwinfo_rqst(tvbuff_t *tvb, int offset,
1135 packet_info *pinfo, proto_tree *tree,
1138 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1139 hf_samr_hnd, NULL, FALSE, FALSE);
1145 samr_dissect_get_usrdom_pwinfo_reply(tvbuff_t *tvb, int offset,
1146 packet_info *pinfo, proto_tree *tree,
1149 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1150 samr_dissect_PASSWORD_INFO, NDR_POINTER_REF,
1151 "PASSWORD_INFO:", -1);
1153 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1159 samr_dissect_connect2_rqst(tvbuff_t *tvb, int offset,
1160 packet_info *pinfo, proto_tree *tree,
1163 offset = dissect_ndr_pointer_cb(
1164 tvb, offset, pinfo, tree, drep,
1165 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1166 "Server", hf_samr_server, cb_str_postprocess,
1167 GINT_TO_POINTER(CB_STR_COL_INFO | CB_STR_SAVE | 1));
1169 offset = dissect_nt_access_mask(
1170 tvb, offset, pinfo, tree, drep, hf_samr_access,
1171 specific_rights_connect);
1177 samr_dissect_connect4_rqst(tvbuff_t *tvb, int offset,
1178 packet_info *pinfo, proto_tree *tree,
1181 offset = dissect_ndr_pointer_cb(
1182 tvb, offset, pinfo, tree, drep,
1183 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1184 "Server", hf_samr_server, cb_str_postprocess,
1185 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1187 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
1188 hf_samr_unknown_long, NULL);
1190 offset = dissect_nt_access_mask(
1191 tvb, offset, pinfo, tree, drep, hf_samr_access,
1192 specific_rights_connect);
1198 samr_dissect_connect2_reply(tvbuff_t *tvb, int offset,
1199 packet_info *pinfo, proto_tree *tree,
1202 dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
1203 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
1204 e_ctx_hnd policy_hnd;
1205 char *server = (char *)dcv->private_data, *pol_name;
1207 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1208 hf_samr_hnd, &policy_hnd, TRUE, FALSE);
1211 pol_name = g_strdup_printf("Connect2, %s", server);
1213 pol_name = g_strdup("Connect2 handle");
1215 dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
1219 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1225 samr_dissect_connect_anon_rqst(tvbuff_t *tvb, int offset,
1226 packet_info *pinfo, proto_tree *tree,
1232 offset=dissect_ndr_uint16(tvb, offset, pinfo, NULL, drep,
1233 hf_samr_server, &server);
1236 proto_tree_add_string_format(tree, hf_samr_server, tvb, offset-2, 2,
1237 str, "Server: %s", str);
1243 samr_dissect_connect_anon_reply(tvbuff_t *tvb, int offset,
1244 packet_info *pinfo, proto_tree *tree,
1247 e_ctx_hnd policy_hnd;
1249 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1250 hf_samr_hnd, &policy_hnd, TRUE, FALSE);
1252 dcerpc_smb_store_pol_name(&policy_hnd, "ConnectAnon handle");
1254 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1261 samr_dissect_USER_GROUP(tvbuff_t *tvb, int offset,
1262 packet_info *pinfo, proto_tree *parent_tree,
1265 proto_item *item=NULL;
1266 proto_tree *tree=NULL;
1267 int old_offset=offset;
1270 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
1272 tree = proto_item_add_subtree(item, ett_samr_user_group);
1275 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
1277 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
1278 hf_samr_rid_attrib, NULL);
1280 proto_item_set_len(item, offset-old_offset);
1285 samr_dissect_USER_GROUP_ARRAY_groups (tvbuff_t *tvb, int offset,
1286 packet_info *pinfo, proto_tree *tree,
1289 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
1290 samr_dissect_USER_GROUP);
1296 samr_dissect_USER_GROUP_ARRAY(tvbuff_t *tvb, int offset,
1297 packet_info *pinfo, proto_tree *parent_tree,
1301 proto_item *item=NULL;
1302 proto_tree *tree=NULL;
1303 int old_offset=offset;
1306 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
1307 "USER_GROUP_ARRAY");
1308 tree = proto_item_add_subtree(item, ett_samr_user_group_array);
1311 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
1312 hf_samr_count, &count);
1313 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1314 samr_dissect_USER_GROUP_ARRAY_groups, NDR_POINTER_UNIQUE,
1315 "USER_GROUP_ARRAY", -1);
1317 proto_item_set_len(item, offset-old_offset);
1322 samr_dissect_USER_GROUP_ARRAY_ptr(tvbuff_t *tvb, int offset,
1323 packet_info *pinfo, proto_tree *tree,
1326 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1327 samr_dissect_USER_GROUP_ARRAY, NDR_POINTER_UNIQUE,
1328 "USER_GROUP_ARRAY", -1);
1333 samr_dissect_get_groups_for_user_rqst(tvbuff_t *tvb, int offset,
1334 packet_info *pinfo, proto_tree *tree,
1337 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1338 hf_samr_hnd, NULL, FALSE, FALSE);
1344 samr_dissect_get_groups_for_user_reply(tvbuff_t *tvb, int offset,
1345 packet_info *pinfo, proto_tree *tree,
1348 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1349 samr_dissect_USER_GROUP_ARRAY_ptr, NDR_POINTER_REF,
1350 "USER_GROUP_ARRAY:", -1);
1352 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1358 static void append_sid_col_info(packet_info *pinfo, proto_tree *tree _U_,
1359 proto_item *item _U_, tvbuff_t *tvb _U_,
1360 int start_offset _U_, int end_offset _U_,
1361 void *callback_args _U_)
1363 dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
1364 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
1365 char *sid_str = dcv->private_data;
1367 if (sid_str && check_col(pinfo->cinfo, COL_INFO))
1368 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s", sid_str);
1372 samr_dissect_open_domain_rqst(tvbuff_t *tvb, int offset,
1373 packet_info *pinfo, proto_tree *tree,
1376 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1377 hf_samr_hnd, NULL, FALSE, FALSE);
1379 offset = dissect_nt_access_mask(
1380 tvb, offset, pinfo, tree, drep, hf_samr_access,
1381 specific_rights_domain);
1383 offset = dissect_ndr_pointer_cb(
1384 tvb, offset, pinfo, tree, drep, dissect_ndr_nt_SID,
1385 NDR_POINTER_REF, "SID:", -1, append_sid_col_info, NULL);
1391 samr_dissect_open_domain_reply(tvbuff_t *tvb, int offset,
1392 packet_info *pinfo, proto_tree *tree,
1395 dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
1396 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
1397 e_ctx_hnd policy_hnd;
1398 char *pol_name, *sid_str = (char *)dcv->private_data;
1400 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1401 hf_samr_hnd, &policy_hnd, TRUE, FALSE);
1404 pol_name = g_strdup_printf("OpenDomain, %s", sid_str);
1406 pol_name = g_strdup("OpenDomain handle");
1408 dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
1412 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1420 samr_dissect_context_handle_SID(tvbuff_t *tvb, int offset,
1421 packet_info *pinfo, proto_tree *tree,
1424 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1425 hf_samr_hnd, NULL, FALSE, FALSE);
1427 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1428 dissect_ndr_nt_SID, NDR_POINTER_REF,
1435 samr_dissect_add_member_to_group_rqst(tvbuff_t *tvb, int offset,
1436 packet_info *pinfo, proto_tree *tree,
1439 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1440 hf_samr_hnd, NULL, FALSE, FALSE);
1442 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
1443 hf_samr_group, NULL);
1445 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
1452 samr_dissect_add_member_to_group_reply(tvbuff_t *tvb, int offset,
1453 packet_info *pinfo, proto_tree *tree,
1456 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1463 samr_dissect_unknown_3c_rqst(tvbuff_t *tvb, int offset,
1464 packet_info *pinfo, proto_tree *tree,
1467 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1468 hf_samr_hnd, NULL, FALSE, FALSE);
1474 samr_dissect_unknown_3c_reply(tvbuff_t *tvb, int offset,
1475 packet_info *pinfo, proto_tree *tree,
1478 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1479 samr_dissect_pointer_short, NDR_POINTER_REF,
1480 "unknown short", hf_samr_unknown_short);
1482 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1488 samr_dissect_create_alias_in_domain_rqst(tvbuff_t *tvb, int offset,
1489 packet_info *pinfo, proto_tree *tree,
1492 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1493 hf_samr_hnd, NULL, FALSE, FALSE);
1495 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1496 samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
1497 "Account Name", hf_samr_acct_name);
1499 offset = dissect_nt_access_mask(
1500 tvb, offset, pinfo, tree, drep, hf_samr_access,
1501 specific_rights_alias);
1507 samr_dissect_create_alias_in_domain_reply(tvbuff_t *tvb, int offset,
1508 packet_info *pinfo, proto_tree *tree,
1511 e_ctx_hnd policy_hnd;
1513 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1514 hf_samr_hnd, &policy_hnd, TRUE, FALSE);
1516 dcerpc_smb_store_pol_name(&policy_hnd, "CreateAlias handle");
1518 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
1521 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1528 samr_dissect_query_information_alias_rqst(tvbuff_t *tvb, int offset,
1530 proto_tree *tree, char *drep)
1534 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1535 hf_samr_hnd, NULL, FALSE, FALSE);
1537 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
1538 hf_samr_level, &level);
1540 if (check_col(pinfo->cinfo, COL_INFO))
1541 col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
1547 samr_dissect_ALIAS_INFO_1 (tvbuff_t *tvb, int offset,
1548 packet_info *pinfo, proto_tree *tree,
1551 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
1552 tree, drep, hf_samr_acct_name, 0);
1553 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
1555 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
1556 tree, drep, hf_samr_acct_desc, 0);
1561 samr_dissect_ALIAS_INFO(tvbuff_t *tvb, int offset,
1562 packet_info *pinfo, proto_tree *parent_tree,
1565 proto_item *item=NULL;
1566 proto_tree *tree=NULL;
1567 int old_offset=offset;
1571 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
1573 tree = proto_item_add_subtree(item, ett_samr_alias_info);
1576 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
1577 hf_samr_level, &level);
1580 offset = samr_dissect_ALIAS_INFO_1(
1581 tvb, offset, pinfo, tree, drep);
1584 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
1585 tree, drep, hf_samr_acct_name, 0);
1588 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
1589 tree, drep, hf_samr_acct_desc, 0);
1593 proto_item_set_len(item, offset-old_offset);
1598 samr_dissect_ALIAS_INFO_ptr(tvbuff_t *tvb, int offset,
1599 packet_info *pinfo, proto_tree *tree,
1602 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1603 samr_dissect_ALIAS_INFO, NDR_POINTER_UNIQUE,
1609 samr_dissect_query_information_alias_reply(tvbuff_t *tvb, int offset,
1611 proto_tree *tree, char *drep)
1613 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1614 samr_dissect_ALIAS_INFO_ptr, NDR_POINTER_REF,
1617 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1624 samr_dissect_set_information_alias_rqst(tvbuff_t *tvb, int offset,
1625 packet_info *pinfo, proto_tree *tree,
1630 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1631 hf_samr_hnd, NULL, FALSE, FALSE);
1633 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
1634 hf_samr_level, &level);
1636 if (check_col(pinfo->cinfo, COL_INFO))
1637 col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
1639 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1640 samr_dissect_ALIAS_INFO, NDR_POINTER_REF,
1646 samr_dissect_set_information_alias_reply(tvbuff_t *tvb, int offset,
1647 packet_info *pinfo, proto_tree *tree,
1650 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1651 samr_dissect_ALIAS_INFO_ptr, NDR_POINTER_REF,
1654 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1660 samr_dissect_CRYPT_PASSWORD(tvbuff_t *tvb, int offset,
1661 packet_info *pinfo _U_, proto_tree *tree,
1666 di=pinfo->private_data;
1667 if(di->conformant_run){
1668 /* just a run to handle conformant arrays, no scalars to dissect */
1672 proto_tree_add_item(tree, hf_samr_crypt_password, tvb, offset, 516,
1679 samr_dissect_CRYPT_HASH(tvbuff_t *tvb, int offset,
1680 packet_info *pinfo _U_, proto_tree *tree,
1685 di=pinfo->private_data;
1686 if(di->conformant_run){
1687 /* just a run to handle conformant arrays, no scalars to dissect */
1691 proto_tree_add_item(tree, hf_samr_crypt_hash, tvb, offset, 16,
1697 #define NT_BLOCK_SIZE 516
1700 samr_dissect_decrypted_NT_PASSCHANGE_BLOCK(tvbuff_t *tvb, int offset,
1701 packet_info *pinfo _U_, proto_tree *tree,
1704 guint32 new_password_len = 0;
1705 guint32 pseudorandom_len = 0;
1706 const char *printable_password;
1710 /* The length of the new password is represented in the last four
1711 octets of the decrypted buffer. Since the password length cannot
1712 exceed 512, we can check the contents of those bytes to determine
1713 if decryption was successful. If the decrypted contents of those
1714 four bytes is less than 512, then there is a 99% chance that
1715 we decrypted the buffer successfully. Of course, this isn't good
1716 enough for a security application, (NT uses the "verifier" field
1717 to come to the same conclusion), but it should be good enough for
1720 new_password_len = tvb_get_letohl(tvb, 512);
1722 if (new_password_len <= 512)
1724 /* Decryption successful */
1725 proto_tree_add_text (tree, tvb, offset, -1,
1726 "Decryption of NT Password Encrypted block successful");
1728 /* Whatever is before the password is pseudorandom data. We calculate
1729 the length by examining the password length (at the end), and working
1731 pseudorandom_len = NT_BLOCK_SIZE - new_password_len - 4;
1733 /* Pseudorandom data padding up to password */
1734 proto_tree_add_item(tree, hf_samr_nt_passchange_block_pseudorandom,
1735 tvb, offset, pseudorandom_len, TRUE);
1736 offset += pseudorandom_len;
1738 /* The new password itself */
1739 bc = new_password_len;
1740 printable_password = get_unicode_or_ascii_string(tvb, &offset,
1744 proto_tree_add_string(tree, hf_samr_nt_passchange_block_newpass,
1745 tvb, offset, result_length,
1746 printable_password);
1747 offset += new_password_len;
1749 /* Length of password */
1750 proto_tree_add_item(tree, hf_samr_nt_passchange_block_newpass_len,
1751 tvb, offset, 4, TRUE);
1755 /* Decryption failure. Just show the encrypted block */
1756 proto_tree_add_text (tree, tvb, offset, -1,
1757 "Decryption of NT Passchange block failed");
1759 proto_tree_add_item(tree, hf_samr_nt_passchange_block_decrypted, tvb,
1760 offset, NT_BLOCK_SIZE, TRUE);
1765 samr_dissect_NT_PASSCHANGE_BLOCK(tvbuff_t *tvb, int offset,
1766 packet_info *pinfo _U_, proto_tree *tree,
1770 size_t password_len;
1771 unsigned char *password_unicode;
1772 size_t password_len_unicode;
1773 unsigned char password_md4_hash[16];
1775 tvbuff_t *decr_tvb; /* Used to store decrypted buffer */
1776 rc4_state_struct rc4_state;
1779 /* This implements the the algorithm discussed in lkcl -"DCE/RPC
1780 over SMB" page 257. Note that this code does not properly support
1783 di=pinfo->private_data;
1784 if(di->conformant_run){
1785 /* just a run to handle conformant arrays, no scalars to dissect */
1789 /* Put in a protocol tree entry for the encrypted block. */
1790 proto_tree_add_text(tree, tvb, offset, NT_BLOCK_SIZE,
1791 "Encrypted NT Password Block");
1793 if (nt_password != NULL) {
1794 /* We have an NT password, so we can decrypt the password
1797 /* Convert the password provided in the Ethereal GUI to Unicode
1798 (UCS-2). Since the input is always ASCII, we can just fake
1799 it and pad every other byte with a NUL. If we ever support
1800 UTF-8 in the GUI, we would have to perform a real UTF-8 to
1802 password_len = strlen(nt_password);
1803 password_len_unicode = password_len*2;
1804 password_unicode = g_malloc(password_len_unicode);
1805 for (i = 0; i < password_len; i++) {
1806 password_unicode[i*2] = nt_password[i];
1807 password_unicode[i*2+1] = 0;
1810 /* Run MD4 against the resulting Unicode password. This will
1811 be used to perform RC4 decryption on the password change
1812 block. Then free the Unicode password, as we're done
1814 crypt_md4(password_md4_hash, password_unicode,
1815 password_len_unicode);
1816 g_free(password_unicode);
1818 /* Copy the block into a temporary buffer so we can decrypt
1820 block = g_malloc(NT_BLOCK_SIZE);
1821 memset(block, 0, NT_BLOCK_SIZE);
1822 tvb_memcpy(tvb, block, offset, NT_BLOCK_SIZE);
1824 /* RC4 decrypt the block with the old NT password hash */
1825 crypt_rc4_init(&rc4_state, password_md4_hash, 16);
1826 crypt_rc4(&rc4_state, block, NT_BLOCK_SIZE);
1828 /* Show the decrypted buffer in a new window */
1829 decr_tvb = tvb_new_real_data(block, NT_BLOCK_SIZE,
1831 tvb_set_free_cb(decr_tvb, g_free);
1832 tvb_set_child_real_data_tvbuff(tvb, decr_tvb);
1833 add_new_data_source(pinfo, decr_tvb,
1834 "Decrypted NT Password Block");
1836 /* Dissect the decrypted block */
1837 samr_dissect_decrypted_NT_PASSCHANGE_BLOCK(decr_tvb, 0, pinfo,
1840 offset += NT_BLOCK_SIZE;
1845 samr_dissect_LM_PASSCHANGE_BLOCK(tvbuff_t *tvb, int offset,
1846 packet_info *pinfo _U_, proto_tree *tree,
1851 /* Right now, this just dumps the output. In the long term, we can use
1852 the algorithm discussed in lkcl -"DCE/RPC over SMB" page 257 to
1853 actually decrypt the block */
1855 di=pinfo->private_data;
1856 if(di->conformant_run){
1857 /* just a run to handle conformant arrays, no scalars to dissect */
1861 proto_tree_add_item(tree, hf_samr_lm_passchange_block, tvb, offset,
1868 samr_dissect_LM_VERIFIER(tvbuff_t *tvb, int offset,
1869 packet_info *pinfo _U_, proto_tree *tree,
1874 /* Right now, this just dumps the output. In the long term, we can use
1875 the algorithm discussed in lkcl -"DCE/RPC over SMB" page 257 to
1876 actually validate the verifier */
1878 di=pinfo->private_data;
1879 if(di->conformant_run){
1880 /* just a run to handle conformant arrays, no scalars to dissect */
1884 proto_tree_add_item(tree, hf_samr_lm_verifier, tvb, offset, 16,
1892 samr_dissect_NT_VERIFIER(tvbuff_t *tvb, int offset,
1893 packet_info *pinfo _U_, proto_tree *tree,
1898 /* Right now, this just dumps the output. In the long term, we can use
1899 the algorithm discussed in lkcl -"DCE/RPC over SMB" page 257 to
1900 actually validate the verifier */
1902 di=pinfo->private_data;
1903 if(di->conformant_run){
1904 /* just a run to handle conformant arrays, no scalars to dissect */
1908 proto_tree_add_item(tree, hf_samr_nt_verifier, tvb, offset, 16,
1916 samr_dissect_oem_change_password_user2_rqst(tvbuff_t *tvb, int offset,
1918 proto_tree *tree, char *drep)
1920 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
1921 hf_samr_hnd, NULL, FALSE, FALSE);
1923 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1924 samr_dissect_pointer_STRING, NDR_POINTER_UNIQUE,
1925 "Server", hf_samr_server);
1927 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1928 samr_dissect_pointer_STRING, NDR_POINTER_REF,
1929 "Account Name", hf_samr_acct_name);
1931 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1932 samr_dissect_CRYPT_PASSWORD, NDR_POINTER_UNIQUE,
1935 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1936 samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
1942 samr_dissect_oem_change_password_user2_reply(tvbuff_t *tvb, int offset,
1944 proto_tree *tree, char *drep)
1946 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1953 samr_dissect_unicode_change_password_user2_rqst(tvbuff_t *tvb, int offset,
1955 proto_tree *tree, char *drep)
1957 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1958 samr_dissect_PASSWORD_INFO, NDR_POINTER_REF,
1959 "PASSWORD_INFO:", -1);
1961 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1962 NDR_POINTER_UNIQUE, "Server", hf_samr_server, 0);
1964 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1965 samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
1966 "Account Name:", hf_samr_acct_name);
1968 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1969 samr_dissect_NT_PASSCHANGE_BLOCK, NDR_POINTER_UNIQUE,
1970 "New NT Password Encrypted Block", -1);
1971 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1972 samr_dissect_NT_VERIFIER, NDR_POINTER_UNIQUE,
1973 "NT Password Verifier", -1);
1974 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
1975 hf_samr_lm_change, NULL);
1976 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1977 samr_dissect_LM_PASSCHANGE_BLOCK, NDR_POINTER_UNIQUE,
1978 "New Lan Manager Password Encrypted Block", -1);
1979 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1980 samr_dissect_LM_VERIFIER, NDR_POINTER_UNIQUE,
1981 "Lan Manager Password Verifier", -1);
1986 samr_dissect_unicode_change_password_user2_reply(tvbuff_t *tvb, int offset,
1988 proto_tree *tree, char *drep)
1990 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1997 samr_dissect_unknown_3b_rqst(tvbuff_t *tvb, int offset,
1998 packet_info *pinfo, proto_tree *tree,
2001 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2002 hf_samr_hnd, NULL, FALSE, FALSE);
2004 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
2005 hf_samr_unknown_short, NULL);
2006 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2007 samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_UNIQUE,
2008 "Unknown", hf_samr_unknown_string);
2009 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2010 samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_UNIQUE,
2011 "Unknown", hf_samr_unknown_string);
2016 samr_dissect_unknown_3b_reply(tvbuff_t *tvb, int offset,
2017 packet_info *pinfo, proto_tree *tree,
2020 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2027 samr_dissect_create_user2_in_domain_rqst(tvbuff_t *tvb, int offset,
2028 packet_info *pinfo, proto_tree *tree,
2031 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2032 hf_samr_hnd, NULL, FALSE, FALSE);
2034 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2035 samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
2036 "Account Name", hf_samr_acct_name);
2038 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
2040 offset = dissect_nt_access_mask(
2041 tvb, offset, pinfo, tree, drep, hf_samr_access,
2042 specific_rights_user);
2048 samr_dissect_create_user2_in_domain_reply(tvbuff_t *tvb, int offset,
2049 packet_info *pinfo, proto_tree *tree,
2052 e_ctx_hnd policy_hnd;
2054 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2055 hf_samr_hnd, &policy_hnd, TRUE, FALSE);
2057 dcerpc_smb_store_pol_name(&policy_hnd, "CreateUser2 handle");
2059 offset = dissect_nt_access_mask(
2060 tvb, offset, pinfo, tree, drep, hf_samr_access_granted,
2061 specific_rights_user);
2063 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2066 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2072 samr_dissect_get_display_enumeration_index2_rqst(tvbuff_t *tvb, int offset,
2074 proto_tree *tree, char *drep)
2076 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2077 hf_samr_hnd, NULL, FALSE, FALSE);
2079 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
2080 hf_samr_level, NULL);
2081 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2082 samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
2083 "Account Name", hf_samr_acct_name);
2088 samr_dissect_get_display_enumeration_index2_reply(tvbuff_t *tvb, int offset,
2089 packet_info *pinfo, proto_tree *tree,
2092 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2093 hf_samr_index, NULL);
2095 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2101 samr_dissect_change_password_user_rqst(tvbuff_t *tvb, int offset,
2102 packet_info *pinfo, proto_tree *tree,
2105 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2106 hf_samr_hnd, NULL, FALSE, FALSE);
2108 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
2109 hf_samr_unknown_char, NULL);
2110 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2111 samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
2113 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2114 samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
2116 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
2117 hf_samr_unknown_char, NULL);
2118 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2119 samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
2121 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2122 samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
2124 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
2125 hf_samr_unknown_char, NULL);
2126 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2127 samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
2129 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
2130 hf_samr_unknown_char, NULL);
2131 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2132 samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
2139 samr_dissect_change_password_user_reply(tvbuff_t *tvb, int offset,
2140 packet_info *pinfo, proto_tree *tree,
2143 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2150 samr_dissect_set_member_attributes_of_group_rqst(tvbuff_t *tvb, int offset,
2152 proto_tree *tree, char *drep)
2154 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2155 hf_samr_hnd, NULL, FALSE, FALSE);
2157 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2158 hf_samr_attrib, NULL);
2163 samr_dissect_set_member_attributes_of_group_reply(tvbuff_t *tvb, int offset,
2164 packet_info *pinfo, proto_tree *tree,
2167 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2174 samr_dissect_GROUP_INFO_1 (tvbuff_t *tvb, int offset,
2175 packet_info *pinfo, proto_tree *tree,
2178 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
2179 tree, drep, hf_samr_acct_name, 0);
2180 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2182 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2183 hf_samr_attrib, NULL);
2184 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
2185 tree, drep, hf_samr_acct_desc, 0);
2190 samr_dissect_GROUP_INFO(tvbuff_t *tvb, int offset,
2191 packet_info *pinfo, proto_tree *parent_tree,
2194 proto_item *item=NULL;
2195 proto_tree *tree=NULL;
2196 int old_offset=offset;
2200 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2202 tree = proto_item_add_subtree(item, ett_samr_group_info);
2205 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
2206 hf_samr_level, &level);
2209 offset = samr_dissect_GROUP_INFO_1(
2210 tvb, offset, pinfo, tree, drep);
2213 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
2214 tree, drep, hf_samr_acct_name, 0);
2217 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2218 hf_samr_attrib, NULL);
2221 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
2222 tree, drep, hf_samr_acct_desc, 0);
2226 proto_item_set_len(item, offset-old_offset);
2231 samr_dissect_GROUP_INFO_ptr(tvbuff_t *tvb, int offset,
2232 packet_info *pinfo, proto_tree *tree,
2235 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2236 samr_dissect_GROUP_INFO, NDR_POINTER_UNIQUE,
2242 samr_dissect_query_information_group_rqst(tvbuff_t *tvb, int offset,
2244 proto_tree *tree, char *drep)
2246 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2247 hf_samr_hnd, NULL, FALSE, FALSE);
2249 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
2250 hf_samr_level, NULL);
2256 samr_dissect_query_information_group_reply(tvbuff_t *tvb, int offset,
2257 packet_info *pinfo, proto_tree *tree,
2260 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2261 samr_dissect_GROUP_INFO_ptr, NDR_POINTER_REF,
2264 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2270 samr_dissect_set_information_group_rqst(tvbuff_t *tvb, int offset,
2271 packet_info *pinfo, proto_tree *tree,
2276 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2277 hf_samr_hnd, NULL, FALSE, FALSE);
2279 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
2280 hf_samr_level, &level);
2282 if (check_col(pinfo->cinfo, COL_INFO))
2283 col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
2285 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2286 samr_dissect_GROUP_INFO, NDR_POINTER_REF,
2292 samr_dissect_set_information_group_reply(tvbuff_t *tvb, int offset,
2293 packet_info *pinfo, proto_tree *tree,
2296 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2303 samr_dissect_get_domain_password_information_rqst(tvbuff_t *tvb, int offset,
2308 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2309 samr_dissect_PASSWORD_INFO, NDR_POINTER_REF,
2310 "PASSWORD_INFO:", -1);
2312 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2313 NDR_POINTER_UNIQUE, "Domain", hf_samr_domain, 0);
2319 samr_dissect_get_domain_password_information_reply(tvbuff_t *tvb, int offset,
2324 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2325 samr_dissect_PASSWORD_INFO, NDR_POINTER_REF,
2326 "PASSWORD_INFO:", -1);
2328 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2335 samr_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
2336 packet_info *pinfo, proto_tree *parent_tree,
2339 proto_item *item=NULL;
2340 proto_tree *tree=NULL;
2341 int old_offset=offset;
2343 ALIGN_TO_4_BYTES; /* strcture starts with short, but is aligned for longs */
2346 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2348 tree = proto_item_add_subtree(item, ett_samr_domain_info_1);
2351 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2352 hf_samr_min_pwd_len, NULL);
2353 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2354 hf_samr_pwd_history_len, NULL);
2355 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2356 hf_samr_unknown_long, NULL);
2357 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2358 hf_samr_max_pwd_age);
2359 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2360 hf_samr_min_pwd_age);
2361 proto_item_set_len(item, offset-old_offset);
2366 samr_dissect_DOMAIN_INFO_2(tvbuff_t *tvb, int offset,
2367 packet_info *pinfo, proto_tree *parent_tree,
2370 proto_item *item=NULL;
2371 proto_tree *tree=NULL;
2372 int old_offset=offset;
2375 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2377 tree = proto_item_add_subtree(item, ett_samr_domain_info_2);
2380 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2381 hf_samr_unknown_time);
2382 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2383 hf_samr_unknown_string, 0);
2384 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2386 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2387 hf_samr_controller, 0);
2388 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2389 hf_samr_unknown_time);
2390 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2391 hf_samr_unknown_long, NULL);
2392 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2393 hf_samr_unknown_long, NULL);
2394 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
2395 hf_samr_unknown_char, NULL);
2396 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2397 hf_samr_num_users, NULL);
2398 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2399 hf_samr_num_groups, NULL);
2400 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2401 hf_samr_num_aliases, NULL);
2403 proto_item_set_len(item, offset-old_offset);
2408 samr_dissect_DOMAIN_INFO_8(tvbuff_t *tvb, int offset,
2409 packet_info *pinfo, proto_tree *parent_tree,
2412 proto_item *item=NULL;
2413 proto_tree *tree=NULL;
2414 int old_offset=offset;
2417 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2419 tree = proto_item_add_subtree(item, ett_samr_domain_info_8);
2422 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2423 hf_samr_max_pwd_age);
2424 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2425 hf_samr_min_pwd_age);
2427 proto_item_set_len(item, offset-old_offset);
2432 samr_dissect_REPLICATION_STATUS(tvbuff_t *tvb, int offset,
2433 packet_info *pinfo, proto_tree *parent_tree,
2436 proto_item *item=NULL;
2437 proto_tree *tree=NULL;
2438 int old_offset=offset;
2441 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2442 "REPLICATION_STATUS:");
2443 tree = proto_item_add_subtree(item, ett_samr_replication_status);
2446 offset = dissect_ndr_uint64 (tvb, offset, pinfo, tree, drep,
2447 hf_samr_unknown_hyper, NULL);
2448 offset = dissect_ndr_uint64 (tvb, offset, pinfo, tree, drep,
2449 hf_samr_unknown_hyper, NULL);
2450 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
2451 hf_samr_unknown_short, NULL);
2453 proto_item_set_len(item, offset-old_offset);
2458 samr_dissect_DOMAIN_INFO_11(tvbuff_t *tvb, int offset,
2459 packet_info *pinfo, proto_tree *parent_tree,
2462 proto_item *item=NULL;
2463 proto_tree *tree=NULL;
2464 int old_offset=offset;
2467 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2469 tree = proto_item_add_subtree(item, ett_samr_domain_info_11);
2472 offset = samr_dissect_DOMAIN_INFO_2(
2473 tvb, offset, pinfo, tree, drep);
2474 offset = samr_dissect_REPLICATION_STATUS(
2475 tvb, offset, pinfo, tree, drep);
2477 proto_item_set_len(item, offset-old_offset);
2482 samr_dissect_DOMAIN_INFO_13(tvbuff_t *tvb, int offset,
2483 packet_info *pinfo, proto_tree *parent_tree,
2486 proto_item *item=NULL;
2487 proto_tree *tree=NULL;
2488 int old_offset=offset;
2491 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2493 tree = proto_item_add_subtree(item, ett_samr_domain_info_13);
2496 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2497 hf_samr_unknown_time);
2498 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2499 hf_samr_unknown_time);
2500 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2501 hf_samr_unknown_time);
2503 proto_item_set_len(item, offset-old_offset);
2509 samr_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
2510 packet_info *pinfo, proto_tree *parent_tree,
2513 proto_item *item=NULL;
2514 proto_tree *tree=NULL;
2515 int old_offset=offset;
2519 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2521 tree = proto_item_add_subtree(item, ett_samr_domain_info);
2524 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
2525 hf_samr_level, &level);
2527 ALIGN_TO_4_BYTES; /* all union arms aligned to 4 bytes, case 7 and 9 need this */
2530 offset = samr_dissect_DOMAIN_INFO_1(
2531 tvb, offset, pinfo, tree, drep);
2534 offset = samr_dissect_DOMAIN_INFO_2(
2535 tvb, offset, pinfo, tree, drep);
2539 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2540 hf_samr_unknown_time);
2543 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
2544 tree, drep, hf_samr_unknown_string, 0);
2548 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
2549 tree, drep, hf_samr_domain, 0);
2553 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
2554 tree, drep, hf_samr_controller, 0);
2558 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
2559 hf_samr_unknown_short, NULL);
2562 offset = samr_dissect_DOMAIN_INFO_8(
2563 tvb, offset, pinfo, tree, drep);
2566 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
2567 hf_samr_unknown_short, NULL);
2570 offset = samr_dissect_DOMAIN_INFO_11(
2571 tvb, offset, pinfo, tree, drep);
2574 offset = samr_dissect_REPLICATION_STATUS(
2575 tvb, offset, pinfo, tree, drep);
2578 offset = samr_dissect_DOMAIN_INFO_13(
2579 tvb, offset, pinfo, tree, drep);
2583 proto_item_set_len(item, offset-old_offset);
2588 samr_dissect_set_information_domain_rqst(tvbuff_t *tvb, int offset,
2589 packet_info *pinfo, proto_tree *tree,
2594 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2595 hf_samr_hnd, NULL, FALSE, FALSE);
2597 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
2598 hf_samr_level, &level);
2600 if (check_col(pinfo->cinfo, COL_INFO))
2601 col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
2603 offset = samr_dissect_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
2609 samr_dissect_set_information_domain_reply(tvbuff_t *tvb, int offset,
2611 proto_tree *tree, char *drep)
2613 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2620 samr_dissect_lookup_domain_rqst(tvbuff_t *tvb, int offset,
2621 packet_info *pinfo, proto_tree *tree,
2624 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2625 hf_samr_hnd, NULL, FALSE, FALSE);
2627 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2628 samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
2629 "Domain:", hf_samr_domain);
2635 samr_dissect_lookup_domain_reply(tvbuff_t *tvb, int offset,
2636 packet_info *pinfo, proto_tree *tree,
2639 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2640 dissect_ndr_nt_SID_ptr, NDR_POINTER_REF,
2643 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2649 dissect_ndr_nt_PSID(tvbuff_t *tvb, int offset,
2650 packet_info *pinfo, proto_tree *parent_tree,
2653 proto_item *item=NULL;
2654 proto_tree *tree=NULL;
2655 int old_offset=offset;
2658 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2660 tree = proto_item_add_subtree(item, ett_samr_sid_pointer);
2663 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2664 dissect_ndr_nt_SID, NDR_POINTER_UNIQUE,
2667 proto_item_set_len(item, offset-old_offset);
2673 dissect_ndr_nt_PSID_ARRAY_sids (tvbuff_t *tvb, int offset,
2674 packet_info *pinfo, proto_tree *tree,
2677 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2678 dissect_ndr_nt_PSID);
2685 dissect_ndr_nt_PSID_ARRAY(tvbuff_t *tvb, int offset,
2686 packet_info *pinfo, proto_tree *parent_tree,
2690 proto_item *item=NULL;
2691 proto_tree *tree=NULL;
2692 int old_offset=offset;
2695 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2697 tree = proto_item_add_subtree(item, ett_samr_sid_array);
2700 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2701 hf_samr_count, &count);
2702 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2703 dissect_ndr_nt_PSID_ARRAY_sids, NDR_POINTER_UNIQUE,
2706 proto_item_set_len(item, offset-old_offset);
2710 /* called from NETLOGON but placed here since where are where the hf_fields are defined */
2712 dissect_ndr_nt_SID_AND_ATTRIBUTES(tvbuff_t *tvb, int offset,
2713 packet_info *pinfo, proto_tree *parent_tree,
2716 proto_item *item=NULL;
2717 proto_tree *tree=NULL;
2720 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2721 "SID_AND_ATTRIBUTES:");
2722 tree = proto_item_add_subtree(item, ett_samr_sid_and_attributes);
2725 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
2727 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2728 hf_samr_attrib, NULL);
2734 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY(tvbuff_t *tvb, int offset,
2735 packet_info *pinfo, proto_tree *parent_tree,
2739 proto_item *item=NULL;
2740 proto_tree *tree=NULL;
2741 int old_offset=offset;
2744 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2745 "SID_AND_ATTRIBUTES array:");
2746 tree = proto_item_add_subtree(item, ett_samr_sid_and_attributes_array);
2749 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2750 hf_samr_count, &count);
2751 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2752 dissect_ndr_nt_SID_AND_ATTRIBUTES);
2754 proto_item_set_len(item, offset-old_offset);
2760 samr_dissect_index(tvbuff_t *tvb, int offset,
2761 packet_info *pinfo, proto_tree *tree,
2766 di=pinfo->private_data;
2768 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2769 di->hf_index, NULL);
2776 samr_dissect_INDEX_ARRAY_value (tvbuff_t *tvb, int offset,
2777 packet_info *pinfo, proto_tree *tree,
2780 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2781 samr_dissect_index);
2787 plural_ending(const char *string)
2791 string_len = strlen(string);
2792 if (string_len > 0 && string[string_len - 1] == 's') {
2793 /* String ends with "s" - pluralize by adding "es" */
2796 /* Field name doesn't end with "s" - pluralize by adding "s" */
2802 samr_dissect_INDEX_ARRAY(tvbuff_t *tvb, int offset,
2803 packet_info *pinfo, proto_tree *parent_tree,
2808 proto_item *item=NULL;
2809 proto_tree *tree=NULL;
2810 int old_offset=offset;
2814 di=pinfo->private_data;
2816 field_name = proto_registrar_get_name(di->hf_index);
2817 snprintf(str, 255, "INDEX_ARRAY: %s%s:", field_name,
2818 plural_ending(field_name));
2820 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2822 tree = proto_item_add_subtree(item, ett_samr_index_array);
2825 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2826 hf_samr_count, &count);
2827 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2828 samr_dissect_INDEX_ARRAY_value, NDR_POINTER_UNIQUE,
2831 proto_item_set_len(item, offset-old_offset);
2836 samr_dissect_get_alias_membership_rqst(tvbuff_t *tvb, int offset,
2837 packet_info *pinfo, proto_tree *tree,
2840 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2841 hf_samr_hnd, NULL, FALSE, FALSE);
2843 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2844 dissect_ndr_nt_PSID_ARRAY, NDR_POINTER_REF,
2851 samr_dissect_get_alias_membership_reply(tvbuff_t *tvb, int offset,
2852 packet_info *pinfo, proto_tree *tree,
2855 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2856 samr_dissect_INDEX_ARRAY, NDR_POINTER_REF,
2857 "INDEX_ARRAY:", hf_samr_alias);
2859 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2866 samr_dissect_IDX_AND_NAME(tvbuff_t *tvb, int offset,
2867 packet_info *pinfo, proto_tree *parent_tree,
2870 proto_item *item=NULL;
2871 proto_tree *tree=NULL;
2872 int old_offset=offset;
2876 di=pinfo->private_data;
2878 snprintf(str, 255, "IDX_AND_NAME: %s:",proto_registrar_get_name(di->hf_index));
2880 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2882 tree = proto_item_add_subtree(item, ett_samr_idx_and_name);
2885 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2886 hf_samr_index, NULL);
2887 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
2888 tree, drep, di->hf_index, 4);
2890 proto_item_set_len(item, offset-old_offset);
2895 samr_dissect_IDX_AND_NAME_entry (tvbuff_t *tvb, int offset,
2896 packet_info *pinfo, proto_tree *tree,
2899 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2900 samr_dissect_IDX_AND_NAME);
2907 samr_dissect_IDX_AND_NAME_ARRAY(tvbuff_t *tvb, int offset,
2908 packet_info *pinfo, proto_tree *parent_tree,
2913 proto_item *item=NULL;
2914 proto_tree *tree=NULL;
2915 int old_offset=offset;
2919 di=pinfo->private_data;
2921 field_name = proto_registrar_get_name(di->hf_index);
2924 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
2925 "IDX_AND_NAME_ARRAY: %s%s:", field_name,
2926 plural_ending(field_name));
2927 tree = proto_item_add_subtree(item, ett_samr_idx_and_name_array);
2931 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2932 hf_samr_count, &count);
2933 snprintf(str, 255, "IDX_AND_NAME pointer: %s%s:", field_name,
2934 plural_ending(field_name));
2935 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2936 samr_dissect_IDX_AND_NAME_entry, NDR_POINTER_UNIQUE,
2939 proto_item_set_len(item, offset-old_offset);
2944 samr_dissect_IDX_AND_NAME_ARRAY_ptr(tvbuff_t *tvb, int offset,
2945 packet_info *pinfo, proto_tree *tree,
2952 di=pinfo->private_data;
2954 field_name = proto_registrar_get_name(di->hf_index);
2955 snprintf(str, 255, "IDX_AND_NAME_ARRAY pointer: %s%s:", field_name,
2956 plural_ending(field_name));
2957 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2958 samr_dissect_IDX_AND_NAME_ARRAY, NDR_POINTER_UNIQUE,
2964 samr_dissect_enum_domains_rqst(tvbuff_t *tvb, int offset,
2965 packet_info *pinfo, proto_tree *tree,
2968 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
2969 hf_samr_hnd, NULL, FALSE, FALSE);
2971 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2972 samr_dissect_pointer_long, NDR_POINTER_REF,
2973 "Resume Handle:", hf_samr_resume_hnd);
2975 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2976 hf_samr_pref_maxsize, NULL);
2982 samr_dissect_enum_domains_reply(tvbuff_t *tvb, int offset,
2983 packet_info *pinfo, proto_tree *tree,
2986 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2987 samr_dissect_pointer_long, NDR_POINTER_REF,
2988 "Resume Handle:", hf_samr_resume_hnd);
2990 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2991 samr_dissect_IDX_AND_NAME_ARRAY_ptr, NDR_POINTER_REF,
2992 "IDX_AND_NAME_ARRAY:", hf_samr_domain);
2994 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2995 samr_dissect_pointer_long, NDR_POINTER_REF,
2996 "Entries:", hf_samr_entries);
2998 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3005 samr_dissect_enum_dom_groups_rqst(tvbuff_t *tvb, int offset,
3006 packet_info *pinfo, proto_tree *tree,
3009 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
3010 hf_samr_hnd, NULL, FALSE, FALSE);
3012 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3013 samr_dissect_pointer_long, NDR_POINTER_REF,
3014 "Resume Handle:", hf_samr_resume_hnd);
3016 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3017 hf_samr_mask, NULL);
3019 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3020 hf_samr_pref_maxsize, NULL);
3026 samr_dissect_enum_dom_groups_reply(tvbuff_t *tvb, int offset,
3027 packet_info *pinfo, proto_tree *tree,
3030 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3031 samr_dissect_pointer_long, NDR_POINTER_REF,
3032 "Resume Handle:", hf_samr_resume_hnd);
3034 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3035 samr_dissect_IDX_AND_NAME_ARRAY_ptr, NDR_POINTER_REF,
3036 "IDX_AND_NAME_ARRAY:", hf_samr_group_name);
3038 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3039 samr_dissect_pointer_long, NDR_POINTER_REF,
3040 "Entries:", hf_samr_entries);
3042 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3049 samr_dissect_enum_dom_aliases_rqst(tvbuff_t *tvb, int offset,
3050 packet_info *pinfo, proto_tree *tree,
3053 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
3054 hf_samr_hnd, NULL, FALSE, FALSE);
3056 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3057 samr_dissect_pointer_long, NDR_POINTER_REF,
3058 "Resume Handle:", hf_samr_resume_hnd);
3060 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3061 hf_samr_mask, NULL);
3063 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3064 hf_samr_pref_maxsize, NULL);
3070 samr_dissect_enum_dom_aliases_reply(tvbuff_t *tvb, int offset,
3071 packet_info *pinfo, proto_tree *tree,
3074 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3075 samr_dissect_pointer_long, NDR_POINTER_REF,
3076 "Resume Handle:", hf_samr_resume_hnd);
3078 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3079 samr_dissect_IDX_AND_NAME_ARRAY_ptr, NDR_POINTER_REF,
3080 "IDX_AND_NAME_ARRAY:", hf_samr_alias_name);
3082 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3083 samr_dissect_pointer_long, NDR_POINTER_REF,
3084 "Entries:", hf_samr_entries);
3086 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3093 samr_dissect_get_members_in_alias_rqst(tvbuff_t *tvb, int offset,
3094 packet_info *pinfo, proto_tree *tree,
3097 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
3098 hf_samr_hnd, NULL, FALSE, FALSE);
3104 samr_dissect_get_members_in_alias_reply(tvbuff_t *tvb, int offset,
3105 packet_info *pinfo, proto_tree *tree,
3108 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3109 dissect_ndr_nt_PSID_ARRAY, NDR_POINTER_REF,
3112 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3119 samr_dissect_LOGON_HOURS_entry(tvbuff_t *tvb, int offset,
3120 packet_info *pinfo, proto_tree *tree,
3123 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3124 hf_samr_unknown_char, NULL);
3129 samr_dissect_LOGON_HOURS_hours(tvbuff_t *tvb, int offset,
3130 packet_info *pinfo, proto_tree *parent_tree,
3133 proto_item *item=NULL;
3134 proto_tree *tree=NULL;
3135 int old_offset=offset;
3138 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3140 tree = proto_item_add_subtree(item, ett_samr_logon_hours_hours);
3143 offset = dissect_ndr_ucvarray(tvb, offset, pinfo, tree, drep,
3144 samr_dissect_LOGON_HOURS_entry);
3146 proto_item_set_len(item, offset-old_offset);
3153 dissect_ndr_nt_LOGON_HOURS(tvbuff_t *tvb, int offset,
3154 packet_info *pinfo, proto_tree *parent_tree,
3157 proto_item *item=NULL;
3158 proto_tree *tree=NULL;
3159 int old_offset=offset;
3161 ALIGN_TO_4_BYTES; /* strcture starts with short, but is aligned for longs */
3164 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3166 tree = proto_item_add_subtree(item, ett_samr_logon_hours);
3169 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3170 hf_samr_divisions, NULL);
3171 /* XXX - is this a bitmask like the "logon hours" field in the
3172 Remote API call "NetUserGetInfo()" with an information level
3174 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3175 samr_dissect_LOGON_HOURS_hours, NDR_POINTER_UNIQUE,
3178 proto_item_set_len(item, offset-old_offset);
3184 samr_dissect_USER_INFO_1(tvbuff_t *tvb, int offset,
3185 packet_info *pinfo, proto_tree *parent_tree,
3188 proto_item *item=NULL;
3189 proto_tree *tree=NULL;
3190 int old_offset=offset;
3193 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3195 tree = proto_item_add_subtree(item, ett_samr_user_info_1);
3198 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3199 hf_samr_acct_name, 1);
3200 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3201 hf_samr_full_name, 0);
3202 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
3203 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3205 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3208 proto_item_set_len(item, offset-old_offset);
3213 samr_dissect_USER_INFO_2(tvbuff_t *tvb, int offset,
3214 packet_info *pinfo, proto_tree *parent_tree,
3217 proto_item *item=NULL;
3218 proto_tree *tree=NULL;
3219 int old_offset=offset;
3222 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3224 tree = proto_item_add_subtree(item, ett_samr_user_info_2);
3227 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3228 hf_samr_acct_name, 0);
3229 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3230 hf_samr_full_name, 0);
3231 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3232 hf_samr_bad_pwd_count, NULL);
3233 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3234 hf_samr_logon_count, NULL);
3236 proto_item_set_len(item, offset-old_offset);
3241 samr_dissect_USER_INFO_3(tvbuff_t *tvb, int offset,
3242 packet_info *pinfo, proto_tree *parent_tree,
3245 proto_item *item=NULL;
3246 proto_tree *tree=NULL;
3247 int old_offset=offset;
3250 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3252 tree = proto_item_add_subtree(item, ett_samr_user_info_3);
3255 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3256 hf_samr_acct_name, 0);
3257 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3258 hf_samr_full_name, 0);
3259 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3261 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3262 hf_samr_group, NULL);
3263 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3265 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3266 hf_samr_home_drive, 0);
3267 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3269 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3270 hf_samr_acct_desc, 0);
3271 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3272 hf_samr_workstations, 0);
3273 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3274 hf_samr_logon_time);
3275 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3276 hf_samr_logoff_time);
3277 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3278 hf_samr_pwd_last_set_time);
3279 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3280 hf_samr_pwd_can_change_time);
3281 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3282 hf_samr_pwd_must_change_time);
3283 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
3284 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3285 hf_samr_logon_count, NULL);
3286 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3287 hf_samr_bad_pwd_count, NULL);
3288 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
3290 proto_item_set_len(item, offset-old_offset);
3295 samr_dissect_USER_INFO_5(tvbuff_t *tvb, int offset,
3296 packet_info *pinfo, proto_tree *parent_tree,
3299 proto_item *item=NULL;
3300 proto_tree *tree=NULL;
3301 int old_offset=offset;
3304 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3306 tree = proto_item_add_subtree(item, ett_samr_user_info_5);
3309 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3310 hf_samr_acct_name, 0);
3311 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3312 hf_samr_full_name, 0);
3313 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3315 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3316 hf_samr_group, NULL);
3317 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3318 hf_samr_country, NULL);
3319 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3320 hf_samr_codepage, NULL);
3321 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3323 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3324 hf_samr_home_drive, 0);
3325 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3327 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3328 hf_samr_acct_desc, 0);
3329 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3330 hf_samr_workstations, 0);
3331 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3332 hf_samr_logon_time);
3333 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3334 hf_samr_logoff_time);
3335 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
3336 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3337 hf_samr_bad_pwd_count, NULL);
3338 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3339 hf_samr_logon_count, NULL);
3340 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3341 hf_samr_pwd_last_set_time);
3342 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3343 hf_samr_acct_expiry_time);
3344 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
3346 proto_item_set_len(item, offset-old_offset);
3351 samr_dissect_USER_INFO_6(tvbuff_t *tvb, int offset,
3352 packet_info *pinfo, proto_tree *parent_tree,
3355 proto_item *item=NULL;
3356 proto_tree *tree=NULL;
3357 int old_offset=offset;
3360 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3362 tree = proto_item_add_subtree(item, ett_samr_user_info_6);
3365 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3366 hf_samr_acct_name, 0);
3367 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3368 hf_samr_full_name, 0);
3370 proto_item_set_len(item, offset-old_offset);
3375 samr_dissect_USER_INFO_18(tvbuff_t *tvb, int offset,
3376 packet_info *pinfo, proto_tree *parent_tree,
3379 proto_item *item=NULL;
3380 proto_tree *tree=NULL;
3381 int old_offset=offset;
3384 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3386 tree = proto_item_add_subtree(item, ett_samr_user_info_18);
3389 offset = samr_dissect_CRYPT_HASH(tvb, offset, pinfo, tree, drep);
3390 offset = samr_dissect_CRYPT_HASH(tvb, offset, pinfo, tree, drep);
3391 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
3392 hf_samr_unknown_char, NULL);
3393 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
3394 hf_samr_unknown_char, NULL);
3395 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
3396 hf_samr_unknown_char, NULL);
3398 proto_item_set_len(item, offset-old_offset);
3403 samr_dissect_USER_INFO_19(tvbuff_t *tvb, int offset,
3404 packet_info *pinfo, proto_tree *parent_tree,
3407 proto_item *item=NULL;
3408 proto_tree *tree=NULL;
3409 int old_offset=offset;
3412 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3414 tree = proto_item_add_subtree(item, ett_samr_user_info_19);
3417 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
3418 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3419 hf_samr_logon_time);
3420 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3421 hf_samr_logoff_time);
3422 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3423 hf_samr_bad_pwd_count, NULL);
3424 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3425 hf_samr_logon_count, NULL);
3427 proto_item_set_len(item, offset-old_offset);
3432 samr_dissect_BUFFER_entry(tvbuff_t *tvb, int offset,
3433 packet_info *pinfo, proto_tree *tree,
3436 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
3437 hf_samr_unknown_char, NULL);
3443 samr_dissect_BUFFER_buffer(tvbuff_t *tvb, int offset,
3444 packet_info *pinfo, proto_tree *parent_tree,
3447 proto_item *item=NULL;
3448 proto_tree *tree=NULL;
3449 int old_offset=offset;
3452 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3454 tree = proto_item_add_subtree(item, ett_samr_buffer_buffer);
3457 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3458 samr_dissect_BUFFER_entry);
3460 proto_item_set_len(item, offset-old_offset);
3467 samr_dissect_BUFFER(tvbuff_t *tvb, int offset,
3468 packet_info *pinfo, proto_tree *parent_tree,
3471 proto_item *item=NULL;
3472 proto_tree *tree=NULL;
3473 int old_offset=offset;
3476 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3478 tree = proto_item_add_subtree(item, ett_samr_buffer);
3480 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3481 hf_samr_count, NULL);
3482 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3483 samr_dissect_BUFFER_buffer, NDR_POINTER_UNIQUE,
3486 proto_item_set_len(item, offset-old_offset);
3491 samr_dissect_USER_INFO_21(tvbuff_t *tvb, int offset,
3492 packet_info *pinfo, proto_tree *parent_tree,
3495 proto_item *item=NULL;
3496 proto_tree *tree=NULL;
3497 int old_offset=offset;
3500 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3502 tree = proto_item_add_subtree(item, ett_samr_user_info_21);
3505 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3506 hf_samr_logon_time);
3507 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3508 hf_samr_logoff_time);
3509 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3510 hf_samr_kickoff_time);
3511 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3512 hf_samr_pwd_last_set_time);
3513 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3514 hf_samr_pwd_can_change_time);
3515 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3516 hf_samr_pwd_must_change_time);
3517 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3518 hf_samr_acct_name, 2);
3519 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3520 hf_samr_full_name, 0);
3521 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3523 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3524 hf_samr_home_drive, 0);
3525 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3527 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3528 hf_samr_profile, 0);
3529 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3530 hf_samr_acct_desc, 0);
3531 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3532 hf_samr_workstations, 0);
3533 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3534 hf_samr_comment, 0);
3535 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3536 hf_samr_parameters, 0);
3537 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3538 hf_samr_unknown_string, 0);
3539 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3540 hf_samr_unknown_string, 0);
3541 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3542 hf_samr_unknown_string, 0);
3543 offset = samr_dissect_BUFFER(tvb, offset, pinfo, tree, drep);
3544 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3546 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3547 hf_samr_group, NULL);
3548 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
3549 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3550 hf_samr_unknown_long, NULL);
3551 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
3552 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3553 hf_samr_bad_pwd_count, NULL);
3554 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3555 hf_samr_logon_count, NULL);
3556 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3557 hf_samr_country, NULL);
3558 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3559 hf_samr_codepage, NULL);
3560 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
3561 hf_samr_nt_pwd_set, NULL);
3562 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
3563 hf_samr_lm_pwd_set, NULL);
3564 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
3565 hf_samr_pwd_expired, NULL);
3566 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
3567 hf_samr_unknown_char, NULL);
3569 proto_item_set_len(item, offset-old_offset);
3574 samr_dissect_USER_INFO_22(tvbuff_t *tvb, int offset,
3575 packet_info *pinfo, proto_tree *parent_tree,
3578 proto_item *item=NULL;
3579 proto_tree *tree=NULL;
3580 int old_offset=offset;
3583 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3585 tree = proto_item_add_subtree(item, ett_samr_user_info_22);
3588 offset = samr_dissect_USER_INFO_21(tvb, offset, pinfo, tree, drep);
3589 offset = dissect_ndr_uint64 (tvb, offset, pinfo, tree, drep,
3590 hf_samr_revision, NULL);
3592 proto_item_set_len(item, offset-old_offset);
3597 samr_dissect_USER_INFO_23(tvbuff_t *tvb, int offset,
3598 packet_info *pinfo, proto_tree *parent_tree,
3601 proto_item *item=NULL;
3602 proto_tree *tree=NULL;
3603 int old_offset=offset;
3606 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3608 tree = proto_item_add_subtree(item, ett_samr_user_info_23);
3611 offset = samr_dissect_USER_INFO_21(tvb, offset, pinfo, tree, drep);
3612 offset = samr_dissect_CRYPT_PASSWORD(tvb, offset, pinfo, tree, drep);
3614 proto_item_set_len(item, offset-old_offset);
3619 samr_dissect_USER_INFO_24(tvbuff_t *tvb, int offset,
3620 packet_info *pinfo, proto_tree *parent_tree,
3623 proto_item *item=NULL;
3624 proto_tree *tree=NULL;
3625 int old_offset=offset;
3628 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3630 tree = proto_item_add_subtree(item, ett_samr_user_info_24);
3633 offset = samr_dissect_CRYPT_PASSWORD(tvb, offset, pinfo, tree, drep);
3634 offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
3635 hf_samr_unknown_char, NULL);
3637 proto_item_set_len(item, offset-old_offset);
3642 samr_dissect_USER_INFO (tvbuff_t *tvb, int offset,
3643 packet_info *pinfo, proto_tree *parent_tree,
3646 proto_item *item=NULL;
3647 proto_tree *tree=NULL;
3648 int old_offset=offset;
3652 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3654 tree = proto_item_add_subtree(item, ett_samr_user_info);
3656 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3657 hf_samr_level, &level);
3661 offset = samr_dissect_USER_INFO_1(
3662 tvb, offset, pinfo, tree, drep);
3665 offset = samr_dissect_USER_INFO_2(
3666 tvb, offset, pinfo, tree, drep);
3669 offset = samr_dissect_USER_INFO_3(
3670 tvb, offset, pinfo, tree, drep);
3673 offset = dissect_ndr_nt_LOGON_HOURS(
3674 tvb, offset, pinfo, tree, drep);
3677 offset = samr_dissect_USER_INFO_5(
3678 tvb, offset, pinfo, tree, drep);
3681 offset = samr_dissect_USER_INFO_6(
3682 tvb, offset, pinfo, tree, drep);
3685 offset = dissect_ndr_nt_UNICODE_STRING(
3686 tvb, offset, pinfo, tree, drep, hf_samr_full_name, 0);
3689 offset = dissect_ndr_nt_UNICODE_STRING(
3690 tvb, offset, pinfo, tree, drep, hf_samr_acct_desc, 0);
3693 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3694 hf_samr_unknown_long, NULL);
3697 offset = samr_dissect_USER_INFO_6(
3698 tvb, offset, pinfo, tree, drep);
3701 offset = dissect_ndr_nt_UNICODE_STRING(
3702 tvb, offset, pinfo, tree, drep, hf_samr_home, 0);
3705 offset = dissect_ndr_nt_UNICODE_STRING(
3706 tvb, offset, pinfo, tree, drep, hf_samr_home_drive, 0);
3709 offset = dissect_ndr_nt_UNICODE_STRING(
3710 tvb, offset, pinfo, tree, drep, hf_samr_script, 0);
3713 offset = dissect_ndr_nt_UNICODE_STRING(
3714 tvb, offset, pinfo, tree, drep, hf_samr_workstations, 0);
3717 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree,
3721 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3722 hf_samr_unknown_time);
3725 offset = samr_dissect_USER_INFO_18(
3726 tvb, offset, pinfo, tree, drep);
3729 offset = samr_dissect_USER_INFO_19(
3730 tvb, offset, pinfo, tree, drep);
3733 offset = dissect_ndr_nt_UNICODE_STRING(
3734 tvb, offset, pinfo, tree, drep, hf_samr_profile, 0);
3737 offset = samr_dissect_USER_INFO_21(
3738 tvb, offset, pinfo, tree, drep);
3741 offset = samr_dissect_USER_INFO_22(
3742 tvb, offset, pinfo, tree, drep);
3745 offset = samr_dissect_USER_INFO_23(
3746 tvb, offset, pinfo, tree, drep);
3749 offset = samr_dissect_USER_INFO_24(
3750 tvb, offset, pinfo, tree, drep);
3754 proto_item_set_len(item, offset-old_offset);
3759 samr_dissect_USER_INFO_ptr(tvbuff_t *tvb, int offset,
3760 packet_info *pinfo, proto_tree *tree,
3763 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3764 samr_dissect_USER_INFO, NDR_POINTER_UNIQUE,
3765 "USER_INFO pointer", -1);
3770 samr_dissect_set_information_user2_rqst(tvbuff_t *tvb, int offset,
3771 packet_info *pinfo, proto_tree *tree,
3776 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
3777 hf_samr_hnd, NULL, FALSE, FALSE);
3779 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3780 hf_samr_level, &level);
3782 if (check_col(pinfo->cinfo, COL_INFO))
3783 col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
3785 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3786 samr_dissect_USER_INFO, NDR_POINTER_REF,
3793 samr_dissect_set_information_user2_reply(tvbuff_t *tvb, int offset,
3794 packet_info *pinfo, proto_tree *tree,
3797 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3804 samr_dissect_unknown_2f_rqst(tvbuff_t *tvb, int offset,
3805 packet_info *pinfo, proto_tree *tree,
3810 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
3811 hf_samr_hnd, NULL, FALSE, FALSE);
3813 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
3814 hf_samr_level, &level);
3816 if (check_col(pinfo->cinfo, COL_INFO))
3817 col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
3823 samr_dissect_unknown_2f_reply(tvbuff_t *tvb, int offset,
3824 packet_info *pinfo, proto_tree *tree,
3827 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3828 samr_dissect_USER_INFO_ptr, NDR_POINTER_REF,
3831 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3838 samr_dissect_MEMBER_ARRAY_type(tvbuff_t *tvb, int offset,
3839 packet_info *pinfo, proto_tree *tree,
3842 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3843 hf_samr_type, NULL);
3850 samr_dissect_MEMBER_ARRAY_types(tvbuff_t *tvb, int offset,
3851 packet_info *pinfo, proto_tree *parent_tree,
3854 proto_item *item=NULL;
3855 proto_tree *tree=NULL;
3856 int old_offset=offset;
3859 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3860 "MEMBER_ARRAY_types:");
3861 tree = proto_item_add_subtree(item, ett_samr_member_array_types);
3864 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3865 samr_dissect_MEMBER_ARRAY_type);
3867 proto_item_set_len(item, offset-old_offset);
3874 samr_dissect_MEMBER_ARRAY_rid(tvbuff_t *tvb, int offset,
3875 packet_info *pinfo, proto_tree *tree,
3878 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3886 samr_dissect_MEMBER_ARRAY_rids(tvbuff_t *tvb, int offset,
3887 packet_info *pinfo, proto_tree *parent_tree,
3890 proto_item *item=NULL;
3891 proto_tree *tree=NULL;
3892 int old_offset=offset;
3895 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3896 "MEMBER_ARRAY_rids:");
3897 tree = proto_item_add_subtree(item, ett_samr_member_array_rids);
3900 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3901 samr_dissect_MEMBER_ARRAY_rid);
3903 proto_item_set_len(item, offset-old_offset);
3910 samr_dissect_MEMBER_ARRAY(tvbuff_t *tvb, int offset,
3911 packet_info *pinfo, proto_tree *parent_tree,
3915 proto_item *item=NULL;
3916 proto_tree *tree=NULL;
3917 int old_offset=offset;
3920 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3922 tree = proto_item_add_subtree(item, ett_samr_member_array);
3925 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3926 hf_samr_count, &count);
3927 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3928 samr_dissect_MEMBER_ARRAY_rids, NDR_POINTER_UNIQUE,
3930 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3931 samr_dissect_MEMBER_ARRAY_types, NDR_POINTER_UNIQUE,
3934 proto_item_set_len(item, offset-old_offset);
3939 samr_dissect_MEMBER_ARRAY_ptr(tvbuff_t *tvb, int offset,
3940 packet_info *pinfo, proto_tree *tree,
3943 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3944 samr_dissect_MEMBER_ARRAY, NDR_POINTER_UNIQUE,
3945 "MEMBER_ARRAY", -1);
3950 samr_dissect_query_groupmem_rqst(tvbuff_t *tvb, int offset,
3951 packet_info *pinfo, proto_tree *tree,
3954 offset = dissect_ndr_ctx_hnd (tvb, offset, pinfo, tree, drep,
3961 samr_dissect_query_groupmem_reply(tvbuff_t *tvb, int offset,
3962 packet_info *pinfo, proto_tree *tree,
3965 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3966 samr_dissect_MEMBER_ARRAY_ptr, NDR_POINTER_REF,
3967 "MEMBER_ARRAY:", -1);
3969 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3976 samr_dissect_set_sec_object_rqst(tvbuff_t *tvb, int offset,
3977 packet_info *pinfo, proto_tree *tree,
3982 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
3983 hf_samr_hnd, NULL, FALSE, FALSE);
3985 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3986 hf_samr_info_type, &info_type);
3988 if (check_col(pinfo->cinfo, COL_INFO))
3990 pinfo->cinfo, COL_INFO, ", info type %d", info_type);
3992 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3993 lsa_dissect_LSA_SECURITY_DESCRIPTOR, NDR_POINTER_REF,
3994 "LSA_SECURITY_DESCRIPTOR pointer: ", -1);
4000 samr_dissect_set_sec_object_reply(tvbuff_t *tvb, int offset,
4001 packet_info *pinfo, proto_tree *tree,
4004 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4011 samr_dissect_query_sec_object_rqst(tvbuff_t *tvb, int offset,
4012 packet_info *pinfo, proto_tree *tree,
4017 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4018 hf_samr_hnd, NULL, FALSE, FALSE);
4020 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4021 hf_samr_info_type, &info_type);
4023 if (check_col(pinfo->cinfo, COL_INFO))
4025 pinfo->cinfo, COL_INFO, ", info_type %d", info_type);
4031 samr_dissect_query_sec_object_reply(tvbuff_t *tvb, int offset,
4032 packet_info *pinfo, proto_tree *tree,
4035 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4036 lsa_dissect_LSA_SECURITY_DESCRIPTOR, NDR_POINTER_UNIQUE,
4037 "LSA_SECURITY_DESCRIPTOR pointer: ", -1);
4039 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4046 samr_dissect_LOOKUP_NAMES_name(tvbuff_t *tvb, int offset,
4047 packet_info *pinfo, proto_tree *tree,
4050 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4051 hf_samr_acct_name, 1);
4056 samr_dissect_LOOKUP_NAMES(tvbuff_t *tvb, int offset,
4057 packet_info *pinfo, proto_tree *parent_tree,
4060 proto_item *item=NULL;
4061 proto_tree *tree=NULL;
4062 int old_offset=offset;
4065 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
4067 tree = proto_item_add_subtree(item, ett_samr_names);
4070 offset = dissect_ndr_ucvarray(tvb, offset, pinfo, tree, drep,
4071 samr_dissect_LOOKUP_NAMES_name);
4073 proto_item_set_len(item, offset-old_offset);
4079 samr_dissect_lookup_names_rqst(tvbuff_t *tvb, int offset,
4080 packet_info *pinfo, proto_tree *tree,
4083 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4084 hf_samr_hnd, NULL, FALSE, FALSE);
4086 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4087 hf_samr_count, NULL);
4089 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4090 samr_dissect_LOOKUP_NAMES, NDR_POINTER_REF,
4091 "LOOKUP_NAMES:", -1);
4097 samr_dissect_lookup_names_reply(tvbuff_t *tvb, int offset,
4098 packet_info *pinfo, proto_tree *tree,
4101 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4102 samr_dissect_INDEX_ARRAY, NDR_POINTER_REF,
4103 "Rids:", hf_samr_rid);
4105 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4106 samr_dissect_INDEX_ARRAY, NDR_POINTER_REF,
4107 "Types:", hf_samr_type);
4109 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4116 samr_dissect_LOOKUP_RIDS_rid(tvbuff_t *tvb, int offset,
4117 packet_info *pinfo, proto_tree *tree,
4120 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4127 samr_dissect_LOOKUP_RIDS(tvbuff_t *tvb, int offset,
4128 packet_info *pinfo, proto_tree *parent_tree,
4131 proto_item *item=NULL;
4132 proto_tree *tree=NULL;
4133 int old_offset=offset;
4136 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
4138 tree = proto_item_add_subtree(item, ett_samr_rids);
4141 offset = dissect_ndr_ucvarray(tvb, offset, pinfo, tree, drep,
4142 samr_dissect_LOOKUP_RIDS_rid);
4144 proto_item_set_len(item, offset-old_offset);
4150 samr_dissect_lookup_rids_rqst(tvbuff_t *tvb, int offset,
4151 packet_info *pinfo, proto_tree *tree,
4154 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4155 hf_samr_hnd, NULL, FALSE, FALSE);
4157 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4158 hf_samr_count, NULL);
4160 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4161 samr_dissect_LOOKUP_RIDS, NDR_POINTER_REF,
4162 "LOOKUP_RIDS:", -1);
4168 samr_dissect_UNICODE_STRING_ARRAY_name(tvbuff_t *tvb, int offset,
4169 packet_info *pinfo, proto_tree *tree,
4172 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4173 hf_samr_acct_name, 0);
4178 samr_dissect_UNICODE_STRING_ARRAY_names(tvbuff_t *tvb, int offset,
4179 packet_info *pinfo, proto_tree *tree,
4182 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4183 samr_dissect_UNICODE_STRING_ARRAY_name);
4188 samr_dissect_UNICODE_STRING_ARRAY(tvbuff_t *tvb, int offset,
4189 packet_info *pinfo, proto_tree *parent_tree,
4192 proto_item *item=NULL;
4193 proto_tree *tree=NULL;
4194 int old_offset=offset;
4197 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
4199 tree = proto_item_add_subtree(item, ett_samr_names);
4202 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4203 hf_samr_count, NULL);
4205 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4206 samr_dissect_UNICODE_STRING_ARRAY_names, NDR_POINTER_UNIQUE,
4209 proto_item_set_len(item, offset-old_offset);
4217 samr_dissect_lookup_rids_reply(tvbuff_t *tvb, int offset,
4218 packet_info *pinfo, proto_tree *tree,
4221 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4222 samr_dissect_UNICODE_STRING_ARRAY, NDR_POINTER_REF,
4223 "RIDs:", hf_samr_rid);
4225 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4226 samr_dissect_INDEX_ARRAY, NDR_POINTER_REF,
4227 "Types:", hf_samr_type);
4229 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4236 samr_dissect_close_hnd_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo,
4237 proto_tree *tree, char *drep)
4239 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4240 hf_samr_hnd, NULL, FALSE, TRUE);
4246 samr_dissect_close_hnd_reply(tvbuff_t *tvb, int offset, packet_info *pinfo,
4247 proto_tree *tree, char *drep)
4249 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4250 hf_samr_hnd, NULL, FALSE, FALSE);
4252 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4259 samr_dissect_shutdown_sam_server_rqst(tvbuff_t *tvb, int offset,
4260 packet_info *pinfo, proto_tree *tree,
4263 offset = dissect_ndr_ctx_hnd (tvb, offset, pinfo, tree, drep,
4270 samr_dissect_shutdown_sam_server_reply(tvbuff_t *tvb, int offset,
4271 packet_info *pinfo, proto_tree *tree,
4274 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4281 samr_dissect_delete_dom_group_rqst(tvbuff_t *tvb, int offset,
4282 packet_info *pinfo, proto_tree *tree,
4285 offset = dissect_ndr_ctx_hnd (tvb, offset, pinfo, tree, drep,
4292 samr_dissect_delete_dom_group_reply(tvbuff_t *tvb, int offset,
4293 packet_info *pinfo, proto_tree *tree,
4296 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4303 samr_dissect_remove_member_from_group_rqst(tvbuff_t *tvb, int offset,
4305 proto_tree *tree, char *drep)
4307 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4308 hf_samr_hnd, NULL, FALSE, FALSE);
4310 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4311 hf_samr_group, NULL);
4313 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4320 samr_dissect_remove_member_from_group_reply(tvbuff_t *tvb, int offset,
4322 proto_tree *tree, char *drep)
4324 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4331 samr_dissect_delete_dom_alias_rqst(tvbuff_t *tvb, int offset,
4332 packet_info *pinfo, proto_tree *tree,
4335 offset = dissect_ndr_ctx_hnd (tvb, offset, pinfo, tree, drep,
4342 samr_dissect_delete_dom_alias_reply(tvbuff_t *tvb, int offset,
4343 packet_info *pinfo, proto_tree *tree,
4346 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4353 samr_dissect_add_alias_member_rqst(tvbuff_t *tvb, int offset,
4354 packet_info *pinfo, proto_tree *tree,
4357 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4358 hf_samr_hnd, NULL, FALSE, FALSE);
4360 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4361 dissect_ndr_nt_SID, NDR_POINTER_REF,
4368 samr_dissect_add_alias_member_reply(tvbuff_t *tvb, int offset,
4369 packet_info *pinfo, proto_tree *tree,
4372 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4379 samr_dissect_remove_alias_member_rqst(tvbuff_t *tvb, int offset,
4380 packet_info *pinfo, proto_tree *tree,
4383 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4384 hf_samr_hnd, NULL, FALSE, FALSE);
4386 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4387 dissect_ndr_nt_SID, NDR_POINTER_REF,
4393 samr_dissect_remove_alias_member_reply(tvbuff_t *tvb, int offset,
4394 packet_info *pinfo, proto_tree *tree,
4397 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4404 samr_dissect_delete_dom_user_rqst(tvbuff_t *tvb, int offset,
4405 packet_info *pinfo, proto_tree *tree,
4408 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4409 hf_samr_hnd, NULL, FALSE, FALSE);
4415 samr_dissect_delete_dom_user_reply(tvbuff_t *tvb, int offset,
4416 packet_info *pinfo, proto_tree *tree,
4419 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4426 samr_dissect_test_private_fns_domain_rqst(tvbuff_t *tvb, int offset,
4427 packet_info *pinfo, proto_tree *tree,
4430 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4431 hf_samr_hnd, NULL, FALSE, FALSE);
4437 samr_dissect_test_private_fns_domain_reply(tvbuff_t *tvb, int offset,
4439 proto_tree *tree, char *drep)
4441 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4448 samr_dissect_test_private_fns_user_rqst(tvbuff_t *tvb, int offset,
4449 packet_info *pinfo, proto_tree *tree,
4452 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4453 hf_samr_hnd, NULL, FALSE, FALSE);
4459 samr_dissect_test_private_fns_user_reply(tvbuff_t *tvb, int offset,
4461 proto_tree *tree, char *drep)
4463 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4470 samr_dissect_remove_member_from_foreign_domain_rqst(tvbuff_t *tvb, int offset,
4475 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4476 hf_samr_hnd, NULL, FALSE, FALSE);
4478 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4479 dissect_ndr_nt_SID, NDR_POINTER_REF,
4485 samr_dissect_remove_member_from_foreign_domain_reply(tvbuff_t *tvb, int offset,
4490 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4497 samr_dissect_remove_multiple_members_from_alias_rqst(tvbuff_t *tvb,
4503 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4504 hf_samr_hnd, NULL, FALSE, FALSE);
4506 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4507 dissect_ndr_nt_PSID_ARRAY, NDR_POINTER_REF,
4514 samr_dissect_remove_multiple_members_from_alias_reply(tvbuff_t *tvb,
4520 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4527 samr_dissect_open_group_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo,
4528 proto_tree *tree, char *drep)
4530 dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
4531 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
4534 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4535 hf_samr_hnd, NULL, FALSE, FALSE);
4537 offset = dissect_nt_access_mask(
4538 tvb, offset, pinfo, tree, drep, hf_samr_access,
4539 specific_rights_group);
4541 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4544 if (check_col(pinfo->cinfo, COL_INFO))
4545 col_append_fstr(pinfo->cinfo, COL_INFO, ", rid 0x%x", rid);
4547 dcv->private_data = GINT_TO_POINTER(rid);
4553 samr_dissect_open_group_reply(tvbuff_t *tvb, int offset,
4554 packet_info *pinfo, proto_tree *tree,
4557 dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
4558 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
4559 guint32 rid = GPOINTER_TO_INT(dcv->private_data);
4560 e_ctx_hnd policy_hnd;
4563 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4564 hf_samr_hnd, &policy_hnd, TRUE, FALSE);
4567 pol_name = g_strdup_printf("OpenGroup, rid 0x%x", rid);
4569 pol_name = g_strdup("OpenGroup handle");
4571 dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
4575 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4582 samr_dissect_open_alias_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo,
4583 proto_tree *tree, char *drep)
4585 dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
4586 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
4589 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4590 hf_samr_hnd, NULL, FALSE, FALSE);
4592 offset = dissect_nt_access_mask(
4593 tvb, offset, pinfo, tree, drep, hf_samr_access,
4594 specific_rights_alias);
4596 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4599 if (check_col(pinfo->cinfo, COL_INFO))
4600 col_append_fstr(pinfo->cinfo, COL_INFO, ", rid 0x%x", rid);
4602 dcv->private_data = GINT_TO_POINTER(rid);
4608 samr_dissect_open_alias_reply(tvbuff_t *tvb, int offset,
4609 packet_info *pinfo, proto_tree *tree,
4612 dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
4613 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
4614 e_ctx_hnd policy_hnd;
4618 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4619 hf_samr_hnd, &policy_hnd, TRUE, FALSE);
4621 rid = GPOINTER_TO_INT(dcv->private_data);
4624 pol_name = g_strdup_printf("OpenAlias, rid 0x%x", rid);
4626 pol_name = g_strdup_printf("OpenAlias handle");
4628 dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
4632 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4639 samr_dissect_add_multiple_members_to_alias_rqst(tvbuff_t *tvb, int offset,
4641 proto_tree *tree, char *drep)
4643 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4644 hf_samr_hnd, NULL, FALSE, FALSE);
4646 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4647 dissect_ndr_nt_PSID_ARRAY, NDR_POINTER_REF,
4654 samr_dissect_add_multiple_members_to_alias_reply(tvbuff_t *tvb, int offset,
4656 proto_tree *tree, char *drep)
4658 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4665 samr_dissect_create_group_in_domain_rqst(tvbuff_t *tvb, int offset,
4666 packet_info *pinfo, proto_tree *tree,
4669 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4670 hf_samr_hnd, NULL, FALSE, FALSE);
4672 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4673 samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
4674 "Account Name", hf_samr_acct_name);
4676 offset = dissect_nt_access_mask(
4677 tvb, offset, pinfo, tree, drep, hf_samr_access,
4678 specific_rights_group);
4684 samr_dissect_create_group_in_domain_reply(tvbuff_t *tvb, int offset,
4685 packet_info *pinfo, proto_tree *tree,
4688 e_ctx_hnd policy_hnd;
4692 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4693 hf_samr_hnd, &policy_hnd, TRUE, FALSE);
4695 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4698 pol_name = g_strdup_printf("CreateGroup, rid 0x%x", rid);
4700 dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
4704 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4711 samr_dissect_query_information_domain_rqst(tvbuff_t *tvb, int offset,
4713 proto_tree *tree, char *drep)
4717 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4718 hf_samr_hnd, NULL, FALSE, FALSE);
4720 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
4721 hf_samr_level, &level);
4723 if (check_col(pinfo->cinfo, COL_INFO))
4724 col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
4730 samr_dissect_query_information_domain_reply(tvbuff_t *tvb, int offset,
4731 packet_info *pinfo, proto_tree *tree,
4735 * Yes, in at least one capture with replies from a W2K server,
4736 * this was, indeed, a UNIQUE pointer, not a REF pointer.
4738 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4739 samr_dissect_DOMAIN_INFO, NDR_POINTER_UNIQUE,
4740 "DOMAIN_INFO pointer", hf_samr_domain);
4742 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4749 samr_dissect_query_information_user_rqst(tvbuff_t *tvb, int offset,
4751 proto_tree *tree, char *drep)
4755 offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
4756 hf_samr_hnd, NULL, FALSE, FALSE);
4758 offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
4759 hf_samr_level, &level);
4761 if (check_col(pinfo->cinfo, COL_INFO))
4762 col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
4768 samr_dissect_query_information_user_reply(tvbuff_t *tvb, int offset,
4770 proto_tree *tree, char *drep)
4772 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4773 samr_dissect_USER_INFO_ptr, NDR_POINTER_REF,
4776 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4782 static dcerpc_sub_dissector dcerpc_samr_dissectors[] = {
4783 { SAMR_CONNECT, "SamrConnect",
4784 samr_dissect_connect_anon_rqst,
4785 samr_dissect_connect_anon_reply },
4786 { SAMR_CLOSE_HND, "Close",
4787 samr_dissect_close_hnd_rqst,
4788 samr_dissect_close_hnd_reply },
4789 { SAMR_SET_SEC_OBJECT, "SetSecObject",
4790 samr_dissect_set_sec_object_rqst,
4791 samr_dissect_set_sec_object_reply },
4792 { SAMR_QUERY_SEC_OBJECT, "QuerySecObject",
4793 samr_dissect_query_sec_object_rqst,
4794 samr_dissect_query_sec_object_reply },
4795 { SAMR_SHUTDOWN_SAM_SERVER, "ShutdownSamServer",
4796 samr_dissect_shutdown_sam_server_rqst,
4797 samr_dissect_shutdown_sam_server_reply },
4798 { SAMR_LOOKUP_DOMAIN, "LookupDomain",
4799 samr_dissect_lookup_domain_rqst,
4800 samr_dissect_lookup_domain_reply },
4801 { SAMR_ENUM_DOMAINS, "EnumDomains",
4802 samr_dissect_enum_domains_rqst,
4803 samr_dissect_enum_domains_reply },
4804 { SAMR_OPEN_DOMAIN, "OpenDomain",
4805 samr_dissect_open_domain_rqst,
4806 samr_dissect_open_domain_reply },
4807 { SAMR_QUERY_DOMAIN_INFO, "QueryDomainInfo",
4808 samr_dissect_query_information_alias_rqst,
4809 samr_dissect_query_information_domain_reply },
4810 { SAMR_SET_DOMAIN_INFO, "SetDomainInfo",
4811 samr_dissect_set_information_domain_rqst,
4812 samr_dissect_set_information_domain_reply },
4813 { SAMR_CREATE_DOM_GROUP, "CreateGroup",
4814 samr_dissect_create_alias_in_domain_rqst,
4815 samr_dissect_create_alias_in_domain_reply },
4816 { SAMR_ENUM_DOM_GROUPS, "EnumDomainGroups",
4817 samr_dissect_enum_dom_groups_rqst,
4818 samr_dissect_enum_dom_groups_reply },
4819 { SAMR_CREATE_USER_IN_DOMAIN, "CreateUser",
4820 samr_dissect_create_group_in_domain_rqst,
4821 samr_dissect_create_group_in_domain_reply },
4822 { SAMR_ENUM_DOM_USERS, "EnumDomainUsers",
4823 samr_dissect_enum_dom_groups_rqst,
4824 samr_dissect_enum_dom_groups_reply },
4825 { SAMR_CREATE_DOM_ALIAS, "CreateAlias",
4826 samr_dissect_create_alias_in_domain_rqst,
4827 samr_dissect_create_alias_in_domain_reply },
4828 { SAMR_ENUM_DOM_ALIASES, "EnumAlises",
4829 samr_dissect_enum_dom_aliases_rqst,
4830 samr_dissect_enum_dom_aliases_reply },
4831 { SAMR_GET_ALIAS_MEMBERSHIP, "GetAliasMem",
4832 samr_dissect_get_alias_membership_rqst,
4833 samr_dissect_get_alias_membership_reply },
4834 { SAMR_LOOKUP_NAMES, "LookupNames",
4835 samr_dissect_lookup_names_rqst,
4836 samr_dissect_lookup_names_reply },
4837 { SAMR_LOOKUP_RIDS, "LookupRIDs",
4838 samr_dissect_lookup_rids_rqst,
4839 samr_dissect_lookup_rids_reply },
4840 { SAMR_OPEN_GROUP, "OpenGroup",
4841 samr_dissect_open_group_rqst,
4842 samr_dissect_open_group_reply },
4843 { SAMR_QUERY_GROUPINFO, "QueryGroupInfo",
4844 samr_dissect_query_information_group_rqst,
4845 samr_dissect_query_information_group_reply },
4846 { SAMR_SET_GROUPINFO, "SetGroupInfo",
4847 samr_dissect_set_information_group_rqst,
4848 samr_dissect_set_information_group_reply },
4849 { SAMR_ADD_GROUPMEM, "AddGroupMem",
4850 samr_dissect_add_member_to_group_rqst,
4851 samr_dissect_add_member_to_group_reply },
4852 { SAMR_DELETE_DOM_GROUP, "DeleteDomainGroup",
4853 samr_dissect_delete_dom_group_rqst,
4854 samr_dissect_delete_dom_group_reply },
4855 { SAMR_DEL_GROUPMEM, "RemoveGroupMem",
4856 samr_dissect_remove_member_from_group_rqst,
4857 samr_dissect_remove_member_from_group_reply },
4858 { SAMR_QUERY_GROUPMEM, "QueryGroupMem",
4859 samr_dissect_query_groupmem_rqst,
4860 samr_dissect_query_groupmem_reply },
4861 { SAMR_SET_MEMBER_ATTRIBUTES_OF_GROUP, "SetMemberAttrGroup",
4862 samr_dissect_set_member_attributes_of_group_rqst,
4863 samr_dissect_set_member_attributes_of_group_reply },
4864 { SAMR_OPEN_ALIAS, "OpenAlias",
4865 samr_dissect_open_alias_rqst,
4866 samr_dissect_open_alias_reply },
4867 { SAMR_QUERY_ALIASINFO, "QueryAliasInfo",
4868 samr_dissect_query_information_alias_rqst,
4869 samr_dissect_query_information_alias_reply },
4870 { SAMR_SET_ALIASINFO, "SetAliasInfo",
4871 samr_dissect_set_information_alias_rqst,
4872 samr_dissect_set_information_alias_reply },
4873 { SAMR_DELETE_DOM_ALIAS, "DeleteAlias",
4874 samr_dissect_delete_dom_alias_rqst,
4875 samr_dissect_delete_dom_alias_reply },
4876 { SAMR_ADD_ALIASMEM, "AddAliasMem",
4877 samr_dissect_add_alias_member_rqst,
4878 samr_dissect_add_alias_member_reply },
4879 { SAMR_DEL_ALIASMEM, "RemoveAliasMem",
4880 samr_dissect_remove_alias_member_rqst,
4881 samr_dissect_remove_alias_member_reply },
4882 { SAMR_GET_MEMBERS_IN_ALIAS, "GetAliasMem",
4883 samr_dissect_get_members_in_alias_rqst,
4884 samr_dissect_get_members_in_alias_reply },
4885 { SAMR_OPEN_USER, "OpenUser",
4886 samr_dissect_open_user_rqst,
4887 samr_dissect_open_user_reply },
4888 { SAMR_DELETE_DOM_USER, "DeleteUser",
4889 samr_dissect_delete_dom_user_rqst,
4890 samr_dissect_delete_dom_user_reply },
4891 { SAMR_QUERY_USERINFO, "QueryUserInfo",
4892 samr_dissect_query_information_user_rqst,
4893 samr_dissect_query_information_user_reply },
4894 { SAMR_SET_USERINFO2, "SetUserInfo2",
4895 samr_dissect_set_information_user2_rqst,
4896 samr_dissect_set_information_user2_reply },
4897 { SAMR_CHANGE_PASSWORD_USER, "ChangePassword",
4898 samr_dissect_change_password_user_rqst,
4899 samr_dissect_change_password_user_reply },
4900 { SAMR_GET_GROUPS_FOR_USER, "GetGroups",
4901 samr_dissect_get_groups_for_user_rqst,
4902 samr_dissect_get_groups_for_user_reply },
4903 { SAMR_QUERY_DISPINFO, "QueryDispinfo",
4904 samr_dissect_query_dispinfo_rqst,
4905 samr_dissect_query_dispinfo_reply },
4906 { SAMR_GET_DISPLAY_ENUMERATION_INDEX, "GetDispEnumNDX",
4907 samr_dissect_get_display_enumeration_index_rqst,
4908 samr_dissect_get_display_enumeration_index_reply },
4909 { SAMR_TEST_PRIVATE_FUNCTIONS_DOMAIN, "TestPrivateFnsDomain",
4910 samr_dissect_test_private_fns_domain_rqst,
4911 samr_dissect_test_private_fns_domain_reply },
4912 { SAMR_TEST_PRIVATE_FUNCTIONS_USER, "TestPrivateFnsUser",
4913 samr_dissect_test_private_fns_user_rqst,
4914 samr_dissect_test_private_fns_user_reply },
4915 { SAMR_GET_USRDOM_PWINFO, "GetUserDomPwInfo",
4916 samr_dissect_get_usrdom_pwinfo_rqst,
4917 samr_dissect_get_usrdom_pwinfo_reply },
4918 { SAMR_REMOVE_MEMBER_FROM_FOREIGN_DOMAIN, "RemoveMemberForeignDomain",
4919 samr_dissect_remove_member_from_foreign_domain_rqst,
4920 samr_dissect_remove_member_from_foreign_domain_reply },
4921 { SAMR_QUERY_INFORMATION_DOMAIN2, "QueryDomInfo2",
4922 samr_dissect_query_information_domain_rqst,
4923 samr_dissect_query_information_domain_reply },
4924 { SAMR_UNKNOWN_2f, "Unknown 0x2f",
4925 samr_dissect_unknown_2f_rqst,
4926 samr_dissect_unknown_2f_reply },
4927 { SAMR_QUERY_DISPINFO2, "QueryDispinfo2",
4928 samr_dissect_query_dispinfo_rqst,
4929 samr_dissect_query_dispinfo_reply },
4930 { SAMR_GET_DISPLAY_ENUMERATION_INDEX2, "GetDispEnumNDX2",
4931 samr_dissect_get_display_enumeration_index2_rqst,
4932 samr_dissect_get_display_enumeration_index2_reply },
4933 { SAMR_CREATE_USER2_IN_DOMAIN, "CreateUser2",
4934 samr_dissect_create_user2_in_domain_rqst,
4935 samr_dissect_create_user2_in_domain_reply },
4936 { SAMR_QUERY_DISPINFO3, "QueryDispinfo3",
4937 samr_dissect_query_dispinfo_rqst,
4938 samr_dissect_query_dispinfo_reply },
4939 { SAMR_ADD_MULTIPLE_MEMBERS_TO_ALIAS, "AddAliasMemMultiple",
4940 samr_dissect_add_multiple_members_to_alias_rqst,
4941 samr_dissect_add_multiple_members_to_alias_reply },
4942 { SAMR_REMOVE_MULTIPLE_MEMBERS_FROM_ALIAS, "RemoveAliasMemMultiple",
4943 samr_dissect_remove_multiple_members_from_alias_rqst,
4944 samr_dissect_remove_multiple_members_from_alias_reply },
4945 { SAMR_OEM_CHANGE_PASSWORD_USER2, "OEMChangePassword2",
4946 samr_dissect_oem_change_password_user2_rqst,
4947 samr_dissect_oem_change_password_user2_reply },
4948 { SAMR_UNICODE_CHANGE_PASSWORD_USER2, "UnicodeChangePassword2",
4949 samr_dissect_unicode_change_password_user2_rqst,
4950 samr_dissect_unicode_change_password_user2_reply },
4951 { SAMR_GET_DOM_PWINFO, "GetDomainPasswordInfo",
4952 samr_dissect_get_domain_password_information_rqst,
4953 samr_dissect_get_domain_password_information_reply },
4954 { SAMR_CONNECT2, "Connect2",
4955 samr_dissect_connect2_rqst,
4956 samr_dissect_connect2_reply },
4957 { SAMR_SET_USERINFO, "SetUserInfo",
4958 samr_dissect_set_information_user2_rqst,
4959 samr_dissect_set_information_user2_reply },
4960 { SAMR_UNKNOWN_3B, "Unknown 0x3b",
4961 samr_dissect_unknown_3b_rqst,
4962 samr_dissect_unknown_3b_reply },
4963 { SAMR_UNKNOWN_3C, "Unknown 0x3c",
4964 samr_dissect_unknown_3c_rqst,
4965 samr_dissect_unknown_3c_reply },
4966 { SAMR_CONNECT4, "Connect4",
4967 samr_dissect_connect4_rqst,
4968 samr_dissect_connect2_reply },
4969 {0, NULL, NULL, NULL }
4972 static const value_string samr_opnum_vals[] = {
4973 { SAMR_CONNECT, "SamrConnect" },
4974 { SAMR_CLOSE_HND, "Close" },
4975 { SAMR_SET_SEC_OBJECT, "SetSecObject" },
4976 { SAMR_QUERY_SEC_OBJECT, "QuerySecObject" },
4977 { SAMR_SHUTDOWN_SAM_SERVER, "ShutdownSamServer" },
4978 { SAMR_LOOKUP_DOMAIN, "LookupDomain" },
4979 { SAMR_ENUM_DOMAINS, "EnumDomains" },
4980 { SAMR_OPEN_DOMAIN, "OpenDomain" },
4981 { SAMR_QUERY_DOMAIN_INFO, "QueryDomainInfo" },
4982 { SAMR_SET_DOMAIN_INFO, "SetDomainInfo" },
4983 { SAMR_CREATE_DOM_GROUP, "CreateGroup" },
4984 { SAMR_ENUM_DOM_GROUPS, "EnumDomainGroups" },
4985 { SAMR_CREATE_USER_IN_DOMAIN, "CreateUser" },
4986 { SAMR_ENUM_DOM_USERS, "EnumDomainUsers" },
4987 { SAMR_CREATE_DOM_ALIAS, "CreateAlias" },
4988 { SAMR_ENUM_DOM_ALIASES, "EnumAlises" },
4989 { SAMR_GET_ALIAS_MEMBERSHIP, "GetAliasMem" },
4990 { SAMR_LOOKUP_NAMES, "LookupNames" },
4991 { SAMR_LOOKUP_RIDS, "LookupRIDs" },
4992 { SAMR_OPEN_GROUP, "OpenGroup" },
4993 { SAMR_QUERY_GROUPINFO, "QueryGroupInfo" },
4994 { SAMR_SET_GROUPINFO, "SetGroupInfo" },
4995 { SAMR_ADD_GROUPMEM, "AddGroupMem" },
4996 { SAMR_DELETE_DOM_GROUP, "DeleteDomainGroup" },
4997 { SAMR_DEL_GROUPMEM, "RemoveGroupMem" },
4998 { SAMR_QUERY_GROUPMEM, "QueryGroupMem" },
4999 { SAMR_SET_MEMBER_ATTRIBUTES_OF_GROUP, "SetMemberAttrGroup" },
5000 { SAMR_OPEN_ALIAS, "OpenAlias" },
5001 { SAMR_QUERY_ALIASINFO, "QueryAliasInfo" },
5002 { SAMR_SET_ALIASINFO, "SetAliasInfo" },
5003 { SAMR_DELETE_DOM_ALIAS, "DeleteAlias" },
5004 { SAMR_ADD_ALIASMEM, "AddAliasMem" },
5005 { SAMR_DEL_ALIASMEM, "RemoveAliasMem" },
5006 { SAMR_GET_MEMBERS_IN_ALIAS, "GetAliasMem" },
5007 { SAMR_OPEN_USER, "OpenUser" },
5008 { SAMR_DELETE_DOM_USER, "DeleteUser" },
5009 { SAMR_QUERY_USERINFO, "QueryUserInfo" },
5010 { SAMR_SET_USERINFO2, "SetUserInfo2" },
5011 { SAMR_CHANGE_PASSWORD_USER, "ChangePassword" },
5012 { SAMR_GET_GROUPS_FOR_USER, "GetGroups" },
5013 { SAMR_QUERY_DISPINFO, "QueryDispinfo" },
5014 { SAMR_GET_DISPLAY_ENUMERATION_INDEX, "GetDispEnumNDX" },
5015 { SAMR_TEST_PRIVATE_FUNCTIONS_DOMAIN, "TestPrivateFnsDomain" },
5016 { SAMR_TEST_PRIVATE_FUNCTIONS_USER, "TestPrivateFnsUser" },
5017 { SAMR_GET_USRDOM_PWINFO, "GetUserDomPwInfo" },
5018 { SAMR_REMOVE_MEMBER_FROM_FOREIGN_DOMAIN, "RemoveMemberForeignDomain" },
5019 { SAMR_QUERY_INFORMATION_DOMAIN2, "QueryDomInfo2" },
5020 { SAMR_UNKNOWN_2f, "Unknown 0x2f" },
5021 { SAMR_QUERY_DISPINFO2, "QueryDispinfo2" },
5022 { SAMR_GET_DISPLAY_ENUMERATION_INDEX2, "GetDispEnumNDX2" },
5023 { SAMR_CREATE_USER2_IN_DOMAIN, "CreateUser2" },
5024 { SAMR_QUERY_DISPINFO3, "QueryDispinfo3" },
5025 { SAMR_ADD_MULTIPLE_MEMBERS_TO_ALIAS, "AddAliasMemMultiple" },
5026 { SAMR_REMOVE_MULTIPLE_MEMBERS_FROM_ALIAS, "RemoveAliasMemMultiple" },
5027 { SAMR_OEM_CHANGE_PASSWORD_USER2, "OEMChangePassword2" },
5028 { SAMR_UNICODE_CHANGE_PASSWORD_USER2, "UnicodeChangePassword2" },
5029 { SAMR_GET_DOM_PWINFO, "GetDomainPasswordInfo" },
5030 { SAMR_CONNECT2, "Connect2" },
5031 { SAMR_SET_USERINFO, "SetUserInfo" },
5032 { SAMR_UNKNOWN_3B, "Unknown 0x3b" },
5033 { SAMR_UNKNOWN_3C, "Unknown 0x3c" },
5034 { SAMR_CONNECT3, "Connect3" },
5035 { SAMR_CONNECT4, "Connect4" },
5040 proto_register_dcerpc_samr(void)
5042 static hf_register_info hf[] = {
5045 { "Operation", "samr.opnum", FT_UINT16, BASE_DEC,
5046 VALS(samr_opnum_vals), 0x0, "Operation", HFILL }},
5049 { "Context Handle", "samr.hnd", FT_BYTES, BASE_NONE, NULL, 0x0, "", HFILL }},
5051 { "Group", "samr.group", FT_UINT32, BASE_DEC, NULL, 0x0, "Group", HFILL }},
5053 { "Rid", "samr.rid", FT_UINT32, BASE_DEC, NULL, 0x0, "RID", HFILL }},
5055 { "Type", "samr.type", FT_UINT32, BASE_HEX, NULL, 0x0, "Type", HFILL }},
5057 { "Alias", "samr.alias", FT_UINT32, BASE_HEX, NULL, 0x0, "Alias", HFILL }},
5058 { &hf_samr_rid_attrib,
5059 { "Rid Attrib", "samr.rid.attrib", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
5061 { "Attributes", "samr.attr", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
5063 { "Return code", "samr.rc", FT_UINT32, BASE_HEX, VALS (NT_errors), 0x0, "", HFILL }},
5066 { "Level", "samr.level", FT_UINT16, BASE_DEC,
5067 NULL, 0x0, "Level requested/returned for Information", HFILL }},
5068 { &hf_samr_start_idx,
5069 { "Start Idx", "samr.start_idx", FT_UINT32, BASE_DEC,
5070 NULL, 0x0, "Start Index for returned Information", HFILL }},
5073 { "Entries", "samr.entries", FT_UINT32, BASE_DEC,
5074 NULL, 0x0, "Number of entries to return", HFILL }},
5076 { &hf_samr_max_entries,
5077 { "Max Entries", "samr.max_entries", FT_UINT32, BASE_DEC,
5078 NULL, 0x0, "Maximum number of entries", HFILL }},
5080 { &hf_samr_pref_maxsize,
5081 { "Pref MaxSize", "samr.pref_maxsize", FT_UINT32, BASE_DEC,
5082 NULL, 0x0, "Maximum Size of data to return", HFILL }},
5084 { &hf_samr_total_size,
5085 { "Total Size", "samr.total_size", FT_UINT32, BASE_DEC,
5086 NULL, 0x0, "Total size of data", HFILL }},
5088 { &hf_samr_bad_pwd_count,
5089 { "Bad Pwd Count", "samr.bad_pwd_count", FT_UINT16, BASE_DEC,
5090 NULL, 0x0, "Number of bad pwd entries for this user", HFILL }},
5092 { &hf_samr_logon_count,
5093 { "Logon Count", "samr.logon_count", FT_UINT16, BASE_DEC,
5094 NULL, 0x0, "Number of logons for this user", HFILL }},
5096 { &hf_samr_ret_size,
5097 { "Returned Size", "samr.ret_size", FT_UINT32, BASE_DEC,
5098 NULL, 0x0, "Number of returned objects in this PDU", HFILL }},
5101 { "Index", "samr.index", FT_UINT32, BASE_DEC,
5102 NULL, 0x0, "Index", HFILL }},
5105 { "Count", "samr.count", FT_UINT32, BASE_DEC, NULL, 0x0, "Number of elements in following array", HFILL }},
5107 { &hf_samr_alias_name,
5108 { "Alias Name", "samr.alias_name", FT_STRING, BASE_NONE,
5109 NULL, 0, "Name of Alias", HFILL }},
5111 { &hf_samr_group_name,
5112 { "Group Name", "samr.group_name", FT_STRING, BASE_NONE,
5113 NULL, 0, "Name of Group", HFILL }},
5115 { &hf_samr_acct_name,
5116 { "Account Name", "samr.acct_name", FT_STRING, BASE_NONE,
5117 NULL, 0, "Name of Account", HFILL }},
5120 { "Server", "samr.server", FT_STRING, BASE_NONE,
5121 NULL, 0, "Name of Server", HFILL }},
5124 { "Domain", "samr.domain", FT_STRING, BASE_NONE,
5125 NULL, 0, "Name of Domain", HFILL }},
5127 { &hf_samr_controller,
5128 { "DC", "samr.dc", FT_STRING, BASE_NONE,
5129 NULL, 0, "Name of Domain Controller", HFILL }},
5131 { &hf_samr_full_name,
5132 { "Full Name", "samr.full_name", FT_STRING, BASE_NONE,
5133 NULL, 0, "Full Name of Account", HFILL }},
5136 { "Home", "samr.home", FT_STRING, BASE_NONE,
5137 NULL, 0, "Home directory for this user", HFILL }},
5139 { &hf_samr_home_drive,
5140 { "Home Drive", "samr.home_drive", FT_STRING, BASE_NONE,
5141 NULL, 0, "Home drive for this user", HFILL }},
5144 { "Script", "samr.script", FT_STRING, BASE_NONE,
5145 NULL, 0, "Login script for this user", HFILL }},
5147 { &hf_samr_workstations,
5148 { "Workstations", "samr.workstations", FT_STRING, BASE_NONE,
5149 NULL, 0, "", HFILL }},
5152 { "Profile", "samr.profile", FT_STRING, BASE_NONE,
5153 NULL, 0, "Profile for this user", HFILL }},
5155 { &hf_samr_acct_desc,
5156 { "Account Desc", "samr.acct_desc", FT_STRING, BASE_NONE,
5157 NULL, 0, "Account Description", HFILL }},
5160 { "Comment", "samr.comment", FT_STRING, BASE_NONE,
5161 NULL, 0, "Comment", HFILL }},
5163 { &hf_samr_parameters,
5164 { "Parameters", "samr.parameters", FT_STRING, BASE_NONE,
5165 NULL, 0, "Parameters", HFILL }},
5167 { &hf_samr_unknown_string,
5168 { "Unknown string", "samr.unknown_string", FT_STRING, BASE_NONE,
5169 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
5171 { &hf_samr_unknown_hyper,
5172 { "Unknown hyper", "samr.unknown.hyper", FT_UINT64, BASE_HEX,
5173 NULL, 0x0, "Unknown hyper. If you know what this is, contact ethereal developers.", HFILL }},
5174 { &hf_samr_unknown_long,
5175 { "Unknown long", "samr.unknown.long", FT_UINT32, BASE_HEX,
5176 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
5178 { &hf_samr_unknown_short,
5179 { "Unknown short", "samr.unknown.short", FT_UINT16, BASE_HEX,
5180 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
5182 { &hf_samr_unknown_char,
5183 { "Unknown char", "samr.unknown.char", FT_UINT8, BASE_HEX,
5184 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
5186 { &hf_samr_revision,
5187 { "Revision", "samr.revision", FT_UINT64, BASE_HEX,
5188 NULL, 0x0, "Revision number for this structure", HFILL }},
5190 { &hf_samr_nt_pwd_set,
5191 { "NT Pwd Set", "samr.nt_pwd_set", FT_UINT8, BASE_HEX,
5192 NULL, 0x0, "Flag indicating whether the NT password has been set", HFILL }},
5194 { &hf_samr_lm_pwd_set,
5195 { "LM Pwd Set", "samr.lm_pwd_set", FT_UINT8, BASE_HEX,
5196 NULL, 0x0, "Flag indicating whether the LanManager password has been set", HFILL }},
5198 { &hf_samr_pwd_expired,
5199 { "Expired flag", "samr.pwd_Expired", FT_UINT8, BASE_HEX,
5200 NULL, 0x0, "Flag indicating if the password for this account has expired or not", HFILL }},
5203 { "Access Mask", "samr.access", FT_UINT32, BASE_HEX,
5204 NULL, 0x0, "Access", HFILL }},
5206 { &hf_samr_access_granted,
5207 { "Access Granted", "samr.access_granted", FT_UINT32, BASE_HEX,
5208 NULL, 0x0, "Access Granted", HFILL }},
5211 { "Mask", "samr.mask", FT_UINT32, BASE_HEX,
5212 NULL, 0x0, "Mask", HFILL }},
5214 { &hf_samr_crypt_password, {
5215 "Password", "samr.crypt_password", FT_BYTES, BASE_HEX,
5216 NULL, 0, "Encrypted Password", HFILL }},
5218 { &hf_samr_crypt_hash, {
5219 "Hash", "samr.crypt_hash", FT_BYTES, BASE_HEX,
5220 NULL, 0, "Encrypted Hash", HFILL }},
5222 { &hf_samr_lm_verifier, {
5223 "Verifier", "samr.lm_password_verifier", FT_BYTES, BASE_HEX,
5224 NULL, 0, "Lan Manager Password Verifier", HFILL }},
5226 { &hf_samr_nt_verifier, {
5227 "Verifier", "samr.nt_password_verifier", FT_BYTES, BASE_HEX,
5228 NULL, 0, "NT Password Verifier", HFILL }},
5230 { &hf_samr_lm_passchange_block, {
5231 "Encrypted Block", "samr.lm_passchange_block", FT_BYTES,
5232 BASE_HEX, NULL, 0, "Lan Manager Password Change Block",
5235 { &hf_samr_nt_passchange_block, {
5236 "Encrypted Block", "samr.nt_passchange_block", FT_BYTES,
5237 BASE_HEX, NULL, 0, "NT Password Change Block", HFILL }},
5239 { &hf_samr_nt_passchange_block_decrypted, {
5240 "Decrypted Block", "samr.nt_passchange_block_decrypted",
5241 FT_BYTES, BASE_HEX, NULL, 0,
5242 "NT Password Change Decrypted Block", HFILL }},
5244 { &hf_samr_nt_passchange_block_newpass, {
5245 "New NT Password", "samr.nt_passchange_block_new_ntpassword",
5246 FT_STRING, BASE_NONE, NULL, 0, "New NT Password", HFILL }},
5248 { &hf_samr_nt_passchange_block_newpass_len, {
5249 "New NT Unicode Password length",
5250 "samr.nt_passchange_block_new_ntpassword_len", FT_UINT32,
5251 BASE_DEC, NULL, 0, "New NT Password Unicode Length", HFILL }},
5253 { &hf_samr_nt_passchange_block_pseudorandom, {
5254 "Pseudorandom data", "samr.nt_passchange_block_pseudorandom",
5255 FT_BYTES, BASE_HEX, NULL, 0, "Pseudorandom data", HFILL }},
5257 { &hf_samr_lm_change, {
5258 "LM Change", "samr.lm_change", FT_UINT8, BASE_HEX,
5259 NULL, 0, "LM Change value", HFILL }},
5261 { &hf_samr_max_pwd_age,
5262 { "Max Pwd Age", "samr.max_pwd_age", FT_RELATIVE_TIME, BASE_NONE,
5263 NULL, 0, "Maximum Password Age before it expires", HFILL }},
5265 { &hf_samr_min_pwd_age,
5266 { "Min Pwd Age", "samr.min_pwd_age", FT_RELATIVE_TIME, BASE_NONE,
5267 NULL, 0, "Minimum Password Age before it can be changed", HFILL }},
5268 { &hf_samr_unknown_time,
5269 { "Unknown time", "samr.unknown_time", FT_ABSOLUTE_TIME, BASE_NONE,
5270 NULL, 0, "Unknown NT TIME, contact ethereal developers if you know what this is", HFILL }},
5271 { &hf_samr_logon_time,
5272 { "Logon Time", "samr.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
5273 NULL, 0, "Time for last time this user logged on", HFILL }},
5274 { &hf_samr_kickoff_time,
5275 { "Kickoff Time", "samr.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
5276 NULL, 0, "Time when this user will be kicked off", HFILL }},
5277 { &hf_samr_logoff_time,
5278 { "Logoff Time", "samr.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
5279 NULL, 0, "Time for last time this user logged off", HFILL }},
5280 { &hf_samr_pwd_last_set_time,
5281 { "PWD Last Set", "samr.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
5282 NULL, 0, "Last time this users password was changed", HFILL }},
5283 { &hf_samr_pwd_can_change_time,
5284 { "PWD Can Change", "samr.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
5285 NULL, 0, "When this users password may be changed", HFILL }},
5286 { &hf_samr_pwd_must_change_time,
5287 { "PWD Must Change", "samr.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
5288 NULL, 0, "When this users password must be changed", HFILL }},
5289 { &hf_samr_acct_expiry_time,
5290 { "Acct Expiry", "samr.acct_expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
5291 NULL, 0, "When this user account expires", HFILL }},
5293 { &hf_samr_min_pwd_len, {
5294 "Min Pwd Len", "samr.min_pwd_len", FT_UINT16, BASE_DEC,
5295 NULL, 0, "Minimum Password Length", HFILL }},
5296 { &hf_samr_pwd_history_len, {
5297 "Pwd History Len", "samr.pwd_history_len", FT_UINT16, BASE_DEC,
5298 NULL, 0, "Password History Length", HFILL }},
5299 { &hf_samr_num_users, {
5300 "Num Users", "samr.num_users", FT_UINT32, BASE_DEC,
5301 NULL, 0, "Number of users in this domain", HFILL }},
5302 { &hf_samr_num_groups, {
5303 "Num Groups", "samr.num_groups", FT_UINT32, BASE_DEC,
5304 NULL, 0, "Number of groups in this domain", HFILL }},
5305 { &hf_samr_num_aliases, {
5306 "Num Aliases", "samr.num_aliases", FT_UINT32, BASE_DEC,
5307 NULL, 0, "Number of aliases in this domain", HFILL }},
5308 { &hf_samr_info_type, {
5309 "Info Type", "samr.info_type", FT_UINT32, BASE_DEC,
5310 NULL, 0, "Information Type", HFILL }},
5311 { &hf_samr_resume_hnd, {
5312 "Resume Hnd", "samr.resume_hnd", FT_UINT32, BASE_DEC,
5313 NULL, 0, "Resume handle", HFILL }},
5314 { &hf_samr_country, {
5315 "Country", "samr.country", FT_UINT16, BASE_DEC,
5316 VALS(ms_country_codes), 0, "Country setting for this user", HFILL }},
5317 { &hf_samr_codepage, {
5318 "Codepage", "samr.codepage", FT_UINT16, BASE_DEC,
5319 NULL, 0, "Codepage setting for this user", HFILL }},
5320 { &hf_samr_divisions, {
5321 "Divisions", "samr.divisions", FT_UINT16, BASE_DEC,
5322 NULL, 0, "Number of divisions for LOGON_HOURS", HFILL }},
5324 /* these are used by packet-dcerpc-nt.c */
5325 { &hf_nt_string_length,
5326 { "Length", "nt.string.length", FT_UINT16, BASE_DEC,
5327 NULL, 0x0, "Length of string in bytes", HFILL }},
5329 { &hf_nt_string_size,
5330 { "Size", "nt.string.size", FT_UINT16, BASE_DEC,
5331 NULL, 0x0, "Size of string in bytes", HFILL }},
5334 { "Length", "nt.str.len", FT_UINT32, BASE_DEC,
5335 NULL, 0x0, "Length of string in short integers", HFILL }},
5338 { "Offset", "nt.str.offset", FT_UINT32, BASE_DEC,
5339 NULL, 0x0, "Offset into string in short integers", HFILL }},
5341 { &hf_nt_str_max_len,
5342 { "Max Length", "nt.str.max_len", FT_UINT32, BASE_DEC,
5343 NULL, 0x0, "Max Length of string in short integers", HFILL }},
5346 { "Acct Ctrl", "nt.acct_ctrl", FT_UINT32, BASE_HEX,
5347 NULL, 0x0, "Acct CTRL", HFILL }},
5349 { &hf_nt_acb_disabled, {
5350 "", "nt.acb.disabled", FT_BOOLEAN, 32,
5351 TFS(&tfs_nt_acb_disabled), 0x0001, "If this account is enabled or disabled", HFILL }},
5353 { &hf_nt_acb_homedirreq, {
5354 "", "nt.acb.homedirreq", FT_BOOLEAN, 32,
5355 TFS(&tfs_nt_acb_homedirreq), 0x0002, "Is hom,edirs required for this account?", HFILL }},
5357 { &hf_nt_acb_pwnotreq, {
5358 "", "nt.acb.pwnotreq", FT_BOOLEAN, 32,
5359 TFS(&tfs_nt_acb_pwnotreq), 0x0004, "If a password is required for this account?", HFILL }},
5361 { &hf_nt_acb_tempdup, {
5362 "", "nt.acb.tempdup", FT_BOOLEAN, 32,
5363 TFS(&tfs_nt_acb_tempdup), 0x0008, "If this is a temporary duplicate account", HFILL }},
5365 { &hf_nt_acb_normal, {
5366 "", "nt.acb.normal", FT_BOOLEAN, 32,
5367 TFS(&tfs_nt_acb_normal), 0x0010, "If this is a normal user account", HFILL }},
5370 "", "nt.acb.mns", FT_BOOLEAN, 32,
5371 TFS(&tfs_nt_acb_mns), 0x0020, "MNS logon user account", HFILL }},
5373 { &hf_nt_acb_domtrust, {
5374 "", "nt.acb.domtrust", FT_BOOLEAN, 32,
5375 TFS(&tfs_nt_acb_domtrust), 0x0040, "Interdomain trust account", HFILL }},
5377 { &hf_nt_acb_wstrust, {
5378 "", "nt.acb.wstrust", FT_BOOLEAN, 32,
5379 TFS(&tfs_nt_acb_wstrust), 0x0080, "Workstation trust account", HFILL }},
5381 { &hf_nt_acb_svrtrust, {
5382 "", "nt.acb.svrtrust", FT_BOOLEAN, 32,
5383 TFS(&tfs_nt_acb_svrtrust), 0x0100, "Server trust account", HFILL }},
5385 { &hf_nt_acb_pwnoexp, {
5386 "", "nt.acb.pwnoexp", FT_BOOLEAN, 32,
5387 TFS(&tfs_nt_acb_pwnoexp), 0x0200, "If this account expires or not", HFILL }},
5389 { &hf_nt_acb_autolock, {
5390 "", "nt.acb.autolock", FT_BOOLEAN, 32,
5391 TFS(&tfs_nt_acb_autolock), 0x0400, "If this account has been autolocked", HFILL }},
5393 /* Object specific access rights */
5395 { &hf_access_domain_lookup_info1,
5396 { "Lookup info1", "samr_access_mask.domain_lookup_info1",
5397 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5398 DOMAIN_ACCESS_LOOKUP_INFO_1, "Lookup info1", HFILL }},
5400 { &hf_access_domain_set_info1,
5401 { "Set info1", "samr_access_mask.domain_set_info1",
5402 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5403 DOMAIN_ACCESS_SET_INFO_1, "Set info1", HFILL }},
5405 { &hf_access_domain_lookup_info2,
5406 { "Lookup info2", "samr_access_mask.domain_lookup_info2",
5407 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5408 DOMAIN_ACCESS_LOOKUP_INFO_2, "Lookup info2", HFILL }},
5410 { &hf_access_domain_set_info2,
5411 { "Set info2", "samr_access_mask.domain_set_info2",
5412 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5413 DOMAIN_ACCESS_SET_INFO_2, "Set info2", HFILL }},
5415 { &hf_access_domain_create_user,
5416 { "Create user", "samr_access_mask.domain_create_user",
5417 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5418 DOMAIN_ACCESS_CREATE_USER, "Create user", HFILL }},
5420 { &hf_access_domain_create_group,
5421 { "Create group", "samr_access_mask.domain_create_group",
5422 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5423 DOMAIN_ACCESS_CREATE_GROUP, "Create group", HFILL }},
5425 { &hf_access_domain_create_alias,
5426 { "Create alias", "samr_access_mask.domain_create_alias",
5427 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5428 DOMAIN_ACCESS_CREATE_ALIAS, "Create alias", HFILL }},
5430 { &hf_access_domain_unknown_80,
5431 { "Unknown 0x80", "samr_access_mask.domain_unknown_80",
5432 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5433 DOMAIN_ACCESS_UNKNOWN_80, "Unknown 0x80", HFILL }},
5435 { &hf_access_domain_enum_accounts,
5436 { "Enum accounts", "samr_access_mask.domain_enum_accounts",
5437 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5438 DOMAIN_ACCESS_ENUM_ACCOUNTS, "Enum accounts", HFILL }},
5440 { &hf_access_domain_open_account,
5441 { "Open account", "samr_access_mask.domain_open_account",
5442 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5443 DOMAIN_ACCESS_OPEN_ACCOUNT, "Open account", HFILL }},
5445 { &hf_access_domain_set_info3,
5446 { "Set info3", "samr_access_mask.domain_set_info3",
5447 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5448 DOMAIN_ACCESS_SET_INFO_3, "Set info3", HFILL }},
5450 { &hf_access_user_get_name_etc,
5451 { "Get name, etc", "samr_access_mask.user_get_name_etc",
5452 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5453 USER_ACCESS_GET_NAME_ETC, "Get name, etc", HFILL }},
5455 { &hf_access_user_get_locale,
5456 { "Get locale", "samr_access_mask.user_get_locale",
5457 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5458 USER_ACCESS_GET_LOCALE, "Get locale", HFILL }},
5460 { &hf_access_user_get_loc_com,
5461 { "Set loc com", "samr_access_mask.user_set_loc_com",
5462 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5463 USER_ACCESS_SET_LOC_COM, "Set loc com", HFILL }},
5465 { &hf_access_user_get_logoninfo,
5466 { "Get logon info", "samr_access_mask.user_get_logoninfo",
5467 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5468 USER_ACCESS_GET_LOGONINFO, "Get logon info", HFILL }},
5470 { &hf_access_user_unknown_10,
5471 { "Unknown 0x10", "samr_access_mask.user_unknown_10",
5472 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5473 USER_ACCESS_UNKNOWN_10, "Unknown 0x10", HFILL }},
5475 { &hf_access_user_set_attributes,
5476 { "Set attributes", "samr_access_mask.user_set_attributes",
5477 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5478 USER_ACCESS_SET_ATTRIBUTES, "Set attributes", HFILL }},
5480 { &hf_access_user_change_password,
5481 { "Change password", "samr_access_mask.user_change_password",
5482 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5483 USER_ACCESS_CHANGE_PASSWORD, "Change password", HFILL }},
5485 { &hf_access_user_set_password,
5486 { "Set password", "samr_access_mask.user_set_password",
5487 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5488 USER_ACCESS_SET_PASSWORD, "Set password", HFILL }},
5490 { &hf_access_user_get_groups,
5491 { "Get groups", "samr_access_mask.user_get_groups",
5492 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5493 USER_ACCESS_GET_GROUPS, "Get groups", HFILL }},
5495 { &hf_access_user_unknown_200,
5496 { "Unknown 0x200", "samr_access_mask.user_unknown_200",
5497 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5498 USER_ACCESS_UNKNOWN_200, "Unknown 0x200", HFILL }},
5500 { &hf_access_user_unknown_400,
5501 { "Unknown 0x400", "samr_access_mask.user_unknown_400",
5502 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5503 USER_ACCESS_UNKNOWN_400, "Unknown 0x400", HFILL }},
5505 { &hf_access_group_lookup_info,
5506 { "Lookup info", "samr_access_mask.group_lookup_info",
5507 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5508 GROUP_ACCESS_LOOKUP_INFO, "Lookup info", HFILL }},
5510 { &hf_access_group_set_info,
5511 { "Get info", "samr_access_mask.group_set_info",
5512 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5513 GROUP_ACCESS_SET_INFO, "Get info", HFILL }},
5515 { &hf_access_group_add_member,
5516 { "Add member", "samr_access_mask.group_add_member",
5517 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5518 GROUP_ACCESS_ADD_MEMBER, "Add member", HFILL }},
5520 { &hf_access_group_remove_member,
5521 { "Remove member", "samr_access_mask.group_remove_member",
5522 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5523 GROUP_ACCESS_REMOVE_MEMBER, "Remove member", HFILL }},
5525 { &hf_access_group_get_members,
5526 { "Get members", "samr_access_mask.group_get_members",
5527 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5528 GROUP_ACCESS_GET_MEMBERS, "Get members", HFILL }},
5530 { &hf_access_alias_add_member,
5531 { "Add member", "samr_access_mask.alias_add_member",
5532 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5533 ALIAS_ACCESS_ADD_MEMBER, "Add member", HFILL }},
5535 { &hf_access_alias_remove_member,
5536 { "Remove member", "samr_access_mask.alias_remove_member",
5537 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5538 ALIAS_ACCESS_REMOVE_MEMBER, "Remove member", HFILL }},
5540 { &hf_access_alias_get_members,
5541 { "Get members", "samr_access_mask.alias_get_members",
5542 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5543 ALIAS_ACCESS_GET_MEMBERS, "Get members", HFILL }},
5545 { &hf_access_alias_lookup_info,
5546 { "Lookup info", "samr_access_mask.alias_lookup_info",
5547 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5548 ALIAS_ACCESS_LOOKUP_INFO, "Lookup info", HFILL }},
5550 { &hf_access_alias_set_info,
5551 { "Set info", "samr_access_mask.alias_set_info",
5552 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5553 ALIAS_ACCESS_SET_INFO, "Set info", HFILL }},
5555 { &hf_access_connect_unknown_01,
5556 { "Unknown 0x01", "samr_access_mask.connect_unknown_01",
5557 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5558 SAMR_ACCESS_UNKNOWN_1, "Unknown 0x01", HFILL }},
5560 { &hf_access_connect_shutdown_server,
5561 { "Shutdown server", "samr_access_mask.connect_shutdown_server",
5562 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5563 SAMR_ACCESS_SHUTDOWN_SERVER, "Shutdown server", HFILL }},
5565 { &hf_access_connect_unknown_04,
5566 { "Unknown 0x04", "samr_access_mask.connect_unknown_04",
5567 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5568 SAMR_ACCESS_UNKNOWN_4, "Unknown 0x04", HFILL }},
5570 { &hf_access_connect_unknown_08,
5571 { "Unknown 0x08", "samr_access_mask.connect_unknown_08",
5572 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5573 SAMR_ACCESS_UNKNOWN_8, "Unknown 0x08", HFILL }},
5575 { &hf_access_connect_enum_domains,
5576 { "Enum domains", "samr_access_mask.connect_enum_domains",
5577 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5578 SAMR_ACCESS_ENUM_DOMAINS, "Enum domains", HFILL }},
5580 { &hf_access_connect_open_domain,
5581 { "Open domain", "samr_access_mask.connect_open_domain",
5582 FT_BOOLEAN, 32, TFS(&flags_set_truth),
5583 SAMR_ACCESS_OPEN_DOMAIN, "Open domain", HFILL }}
5587 static gint *ett[] = {
5589 &ett_samr_user_dispinfo_1,
5590 &ett_samr_user_dispinfo_1_array,
5591 &ett_samr_user_dispinfo_2,
5592 &ett_samr_user_dispinfo_2_array,
5593 &ett_samr_group_dispinfo,
5594 &ett_samr_group_dispinfo_array,
5595 &ett_samr_ascii_dispinfo,
5596 &ett_samr_ascii_dispinfo_array,
5597 &ett_samr_display_info,
5598 &ett_samr_password_info,
5600 &ett_samr_user_group,
5601 &ett_samr_user_group_array,
5602 &ett_samr_alias_info,
5603 &ett_samr_group_info,
5604 &ett_samr_domain_info_1,
5605 &ett_samr_domain_info_2,
5606 &ett_samr_domain_info_8,
5607 &ett_samr_replication_status,
5608 &ett_samr_domain_info_11,
5609 &ett_samr_domain_info_13,
5610 &ett_samr_domain_info,
5611 &ett_samr_sid_pointer,
5612 &ett_samr_sid_array,
5613 &ett_samr_index_array,
5614 &ett_samr_idx_and_name,
5615 &ett_samr_idx_and_name_array,
5616 &ett_samr_logon_hours,
5617 &ett_samr_logon_hours_hours,
5618 &ett_samr_user_info_1,
5619 &ett_samr_user_info_2,
5620 &ett_samr_user_info_3,
5621 &ett_samr_user_info_5,
5622 &ett_samr_user_info_6,
5623 &ett_samr_user_info_18,
5624 &ett_samr_user_info_19,
5625 &ett_samr_buffer_buffer,
5627 &ett_samr_user_info_21,
5628 &ett_samr_user_info_22,
5629 &ett_samr_user_info_23,
5630 &ett_samr_user_info_24,
5631 &ett_samr_user_info,
5632 &ett_samr_member_array_types,
5633 &ett_samr_member_array_rids,
5634 &ett_samr_member_array,
5637 &ett_samr_sid_and_attributes_array,
5638 &ett_samr_sid_and_attributes,
5641 module_t *dcerpc_samr_module;
5643 proto_dcerpc_samr = proto_register_protocol(
5644 "Microsoft Security Account Manager", "SAMR", "samr");
5646 proto_register_field_array (proto_dcerpc_samr, hf, array_length (hf));
5647 proto_register_subtree_array(ett, array_length(ett));
5649 dcerpc_samr_module = prefs_register_protocol(proto_dcerpc_samr, NULL);
5651 prefs_register_string_preference(dcerpc_samr_module, "nt_password",
5653 "NT Password (used to verify password changes)",
5658 proto_reg_handoff_dcerpc_samr(void)
5660 /* Register protocol as dcerpc */
5662 dcerpc_init_uuid(proto_dcerpc_samr, ett_dcerpc_samr, &uuid_dcerpc_samr,
5663 ver_dcerpc_samr, dcerpc_samr_dissectors, hf_samr_opnum);