2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 /** @defgroup lsa LSA - Local Security Architecture
34 * RPC client routines for the LSA RPC pipe. LSA means "local
35 * security authority", which is half of a password database.
38 /** Open a LSA policy handle
40 * @param cli Handle on an initialised SMB connection */
42 NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
44 BOOL sec_qos, uint32 des_access,
47 prs_struct qbuf, rbuf;
56 /* Initialise input parameters */
59 init_lsa_sec_qos(&qos, 2, 1, 0);
60 init_q_open_pol(&q, '\\', 0, des_access, &qos);
62 init_q_open_pol(&q, '\\', 0, des_access, NULL);
65 /* Marshall data and send request */
67 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY,
72 NT_STATUS_UNSUCCESSFUL );
74 /* Return output parameters */
78 if (NT_STATUS_IS_OK(result)) {
85 /** Open a LSA policy handle
87 * @param cli Handle on an initialised SMB connection
90 NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
91 TALLOC_CTX *mem_ctx, BOOL sec_qos,
92 uint32 des_access, POLICY_HND *pol)
94 prs_struct qbuf, rbuf;
99 char *srv_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", cli->cli->desthost);
105 init_lsa_sec_qos(&qos, 2, 1, 0);
106 init_q_open_pol2(&q, srv_name_slash, 0, des_access, &qos);
108 init_q_open_pol2(&q, srv_name_slash, 0, des_access, NULL);
111 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY2,
116 NT_STATUS_UNSUCCESSFUL );
118 /* Return output parameters */
122 if (NT_STATUS_IS_OK(result)) {
129 /* Lookup a list of sids
131 * internal version withOUT memory allocation of the target arrays.
132 * this assumes suffciently sized arrays to store domains, names and types. */
134 static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli,
141 enum lsa_SidType *types)
143 prs_struct qbuf, rbuf;
147 NTSTATUS result = NT_STATUS_OK;
148 TALLOC_CTX *tmp_ctx = NULL;
151 tmp_ctx = talloc_new(mem_ctx);
153 DEBUG(0, ("rpccli_lsa_lookup_sids_noalloc: out of memory!\n"));
154 result = NT_STATUS_UNSUCCESSFUL;
161 init_q_lookup_sids(tmp_ctx, &q, pol, num_sids, sids, 1);
167 CLI_DO_RPC( cli, tmp_ctx, PI_LSARPC, LSA_LOOKUPSIDS,
170 lsa_io_q_lookup_sids,
171 lsa_io_r_lookup_sids,
172 NT_STATUS_UNSUCCESSFUL );
174 DEBUG(10, ("LSA_LOOKUPSIDS returned '%s', mapped count = %d'\n",
175 nt_errstr(r.status), r.mapped_count));
177 if (!NT_STATUS_IS_OK(r.status) &&
178 !NT_STATUS_EQUAL(r.status, NT_STATUS_NONE_MAPPED) &&
179 !NT_STATUS_EQUAL(r.status, STATUS_SOME_UNMAPPED))
181 /* An actual error occured */
186 /* Return output parameters */
188 if (NT_STATUS_EQUAL(r.status, NT_STATUS_NONE_MAPPED) ||
189 (r.mapped_count == 0))
191 for (i = 0; i < num_sids; i++) {
194 (types)[i] = SID_NAME_UNKNOWN;
196 result = NT_STATUS_NONE_MAPPED;
200 for (i = 0; i < num_sids; i++) {
201 fstring name, dom_name;
202 uint32 dom_idx = r.names.name[i].domain_idx;
204 /* Translate optimised name through domain index array */
206 if (dom_idx != 0xffffffff) {
208 rpcstr_pull_unistr2_fstring(
209 dom_name, &ref.ref_dom[dom_idx].uni_dom_name);
210 rpcstr_pull_unistr2_fstring(
211 name, &r.names.uni_name[i]);
213 (names)[i] = talloc_strdup(mem_ctx, name);
214 (domains)[i] = talloc_strdup(mem_ctx, dom_name);
215 (types)[i] = (enum lsa_SidType)r.names.name[i].sid_name_use;
217 if (((names)[i] == NULL) || ((domains)[i] == NULL)) {
218 DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
219 result = NT_STATUS_UNSUCCESSFUL;
226 (types)[i] = SID_NAME_UNKNOWN;
231 TALLOC_FREE(tmp_ctx);
235 /* Lookup a list of sids
237 * do it the right way: there is a limit (of 20480 for w2k3) entries
238 * returned by this call. when the sids list contains more entries,
239 * empty lists are returned. This version of lsa_lookup_sids passes
240 * the list of sids in hunks of LOOKUP_SIDS_HUNK_SIZE to the lsa call. */
242 /* This constant defines the limit of how many sids to look up
243 * in one call (maximum). the limit from the server side is
244 * at 20480 for win2k3, but we keep it at a save 1000 for now. */
245 #define LOOKUP_SIDS_HUNK_SIZE 1000
247 NTSTATUS rpccli_lsa_lookup_sids_all(struct rpc_pipe_client *cli,
254 enum lsa_SidType **types)
256 NTSTATUS result = NT_STATUS_OK;
258 int sids_processed = 0;
259 const DOM_SID *hunk_sids = sids;
260 char **hunk_domains = NULL;
261 char **hunk_names = NULL;
262 enum lsa_SidType *hunk_types = NULL;
265 if (!((*domains) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
266 DEBUG(0, ("rpccli_lsa_lookup_sids_all(): out of memory\n"));
267 result = NT_STATUS_NO_MEMORY;
271 if (!((*names) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
272 DEBUG(0, ("rpccli_lsa_lookup_sids_all(): out of memory\n"));
273 result = NT_STATUS_NO_MEMORY;
277 if (!((*types) = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_sids))) {
278 DEBUG(0, ("rpccli_lsa_lookup_sids_all(): out of memory\n"));
279 result = NT_STATUS_NO_MEMORY;
288 sids_left = num_sids;
289 hunk_domains = *domains;
293 while (sids_left > 0) {
295 NTSTATUS hunk_result = NT_STATUS_OK;
297 hunk_num_sids = ((sids_left > LOOKUP_SIDS_HUNK_SIZE)
298 ? LOOKUP_SIDS_HUNK_SIZE
301 DEBUG(10, ("rpccli_lsa_lookup_sids_all: processing items "
304 sids_processed + hunk_num_sids - 1,
307 hunk_result = rpccli_lsa_lookup_sids_noalloc(cli,
316 if (!NT_STATUS_IS_OK(hunk_result) &&
317 !NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) &&
318 !NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED))
320 /* An actual error occured */
321 result = hunk_result;
325 /* adapt overall result */
326 if (( NT_STATUS_IS_OK(result) &&
327 !NT_STATUS_IS_OK(hunk_result))
329 ( NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) &&
330 !NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED)))
332 result = STATUS_SOME_UNMAPPED;
335 sids_left -= hunk_num_sids;
336 sids_processed += hunk_num_sids; /* only used in DEBUG */
337 hunk_sids += hunk_num_sids;
338 hunk_domains += hunk_num_sids;
339 hunk_names += hunk_num_sids;
340 hunk_types += hunk_num_sids;
346 TALLOC_FREE(*domains);
352 /** Lookup a list of sids */
354 NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
356 POLICY_HND *pol, int num_sids,
360 enum lsa_SidType **types)
362 prs_struct qbuf, rbuf;
366 NTSTATUS result = NT_STATUS_OK;
372 init_q_lookup_sids(mem_ctx, &q, pol, num_sids, sids, 1);
378 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPSIDS,
381 lsa_io_q_lookup_sids,
382 lsa_io_r_lookup_sids,
383 NT_STATUS_UNSUCCESSFUL );
385 if (!NT_STATUS_IS_OK(r.status) &&
386 !NT_STATUS_EQUAL(r.status, STATUS_SOME_UNMAPPED)) {
388 /* An actual error occured */
394 /* Return output parameters */
396 if (r.mapped_count == 0) {
397 result = NT_STATUS_NONE_MAPPED;
402 if (!((*domains) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
403 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
404 result = NT_STATUS_NO_MEMORY;
408 if (!((*names) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
409 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
410 result = NT_STATUS_NO_MEMORY;
414 if (!((*types) = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_sids))) {
415 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
416 result = NT_STATUS_NO_MEMORY;
425 for (i = 0; i < num_sids; i++) {
426 fstring name, dom_name;
427 uint32 dom_idx = r.names.name[i].domain_idx;
429 /* Translate optimised name through domain index array */
431 if (dom_idx != 0xffffffff) {
433 rpcstr_pull_unistr2_fstring(
434 dom_name, &ref.ref_dom[dom_idx].uni_dom_name);
435 rpcstr_pull_unistr2_fstring(
436 name, &r.names.uni_name[i]);
438 (*names)[i] = talloc_strdup(mem_ctx, name);
439 (*domains)[i] = talloc_strdup(mem_ctx, dom_name);
440 (*types)[i] = (enum lsa_SidType)r.names.name[i].sid_name_use;
442 if (((*names)[i] == NULL) || ((*domains)[i] == NULL)) {
443 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
444 result = NT_STATUS_UNSUCCESSFUL;
450 (*domains)[i] = NULL;
451 (*types)[i] = SID_NAME_UNKNOWN;
460 /** Lookup a list of names */
462 NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
464 POLICY_HND *pol, int num_names,
466 const char ***dom_names,
469 enum lsa_SidType **types)
471 prs_struct qbuf, rbuf;
472 LSA_Q_LOOKUP_NAMES q;
473 LSA_R_LOOKUP_NAMES r;
484 init_q_lookup_names(mem_ctx, &q, pol, num_names, names, level);
486 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPNAMES,
489 lsa_io_q_lookup_names,
490 lsa_io_r_lookup_names,
491 NT_STATUS_UNSUCCESSFUL);
495 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
496 NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
498 /* An actual error occured */
503 /* Return output parameters */
505 if (r.mapped_count == 0) {
506 result = NT_STATUS_NONE_MAPPED;
511 if (!((*sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_names)))) {
512 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
513 result = NT_STATUS_NO_MEMORY;
517 if (!((*types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_names)))) {
518 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
519 result = NT_STATUS_NO_MEMORY;
523 if (dom_names != NULL) {
524 *dom_names = TALLOC_ARRAY(mem_ctx, const char *, num_names);
525 if (*dom_names == NULL) {
526 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
527 result = NT_STATUS_NO_MEMORY;
534 if (dom_names != NULL) {
539 for (i = 0; i < num_names; i++) {
540 DOM_RID *t_rids = r.dom_rid;
541 uint32 dom_idx = t_rids[i].rid_idx;
542 uint32 dom_rid = t_rids[i].rid;
543 DOM_SID *sid = &(*sids)[i];
545 /* Translate optimised sid through domain index array */
547 if (dom_idx == 0xffffffff) {
548 /* Nothing to do, this is unknown */
550 (*types)[i] = SID_NAME_UNKNOWN;
554 sid_copy(sid, &ref.ref_dom[dom_idx].ref_dom.sid);
556 if (dom_rid != 0xffffffff) {
557 sid_append_rid(sid, dom_rid);
560 (*types)[i] = (enum lsa_SidType)t_rids[i].type;
562 if (dom_names == NULL) {
566 (*dom_names)[i] = rpcstr_pull_unistr2_talloc(
567 *dom_names, &ref.ref_dom[dom_idx].uni_dom_name);
575 NTSTATUS rpccli_lsa_query_info_policy_new(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
576 POLICY_HND *pol, uint16 info_class,
579 prs_struct qbuf, rbuf;
587 init_q_query(&q, pol, info_class);
589 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
594 NT_STATUS_UNSUCCESSFUL);
598 if (!NT_STATUS_IS_OK(result)) {
609 NTSTATUS rpccli_lsa_query_info_policy2_new(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
610 POLICY_HND *pol, uint16 info_class,
613 prs_struct qbuf, rbuf;
621 init_q_query2(&q, pol, info_class);
623 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
626 lsa_io_q_query_info2,
627 lsa_io_r_query_info2,
628 NT_STATUS_UNSUCCESSFUL);
632 if (!NT_STATUS_IS_OK(result)) {
645 /** Query info policy
647 * @param domain_sid - returned remote server's domain sid */
649 NTSTATUS rpccli_lsa_query_info_policy(struct rpc_pipe_client *cli,
651 POLICY_HND *pol, uint16 info_class,
652 char **domain_name, DOM_SID **domain_sid)
654 prs_struct qbuf, rbuf;
662 init_q_query(&q, pol, info_class);
664 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
669 NT_STATUS_UNSUCCESSFUL);
673 if (!NT_STATUS_IS_OK(result)) {
677 /* Return output parameters */
679 switch (info_class) {
682 if (domain_name && (r.ctr.info.id3.buffer_dom_name != 0)) {
683 *domain_name = unistr2_tdup(mem_ctx,
687 return NT_STATUS_NO_MEMORY;
691 if (domain_sid && (r.ctr.info.id3.buffer_dom_sid != 0)) {
692 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
694 return NT_STATUS_NO_MEMORY;
696 sid_copy(*domain_sid, &r.ctr.info.id3.dom_sid.sid);
703 if (domain_name && (r.ctr.info.id5.buffer_dom_name != 0)) {
704 *domain_name = unistr2_tdup(mem_ctx,
708 return NT_STATUS_NO_MEMORY;
712 if (domain_sid && (r.ctr.info.id5.buffer_dom_sid != 0)) {
713 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
715 return NT_STATUS_NO_MEMORY;
717 sid_copy(*domain_sid, &r.ctr.info.id5.dom_sid.sid);
722 DEBUG(3, ("unknown info class %d\n", info_class));
731 /** Query info policy2
733 * @param domain_name - returned remote server's domain name
734 * @param dns_name - returned remote server's dns domain name
735 * @param forest_name - returned remote server's forest name
736 * @param domain_guid - returned remote server's domain guid
737 * @param domain_sid - returned remote server's domain sid */
739 NTSTATUS rpccli_lsa_query_info_policy2(struct rpc_pipe_client *cli,
741 POLICY_HND *pol, uint16 info_class,
742 char **domain_name, char **dns_name,
744 struct GUID **domain_guid,
745 DOM_SID **domain_sid)
747 prs_struct qbuf, rbuf;
750 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
752 if (info_class != 12)
758 init_q_query2(&q, pol, info_class);
760 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
763 lsa_io_q_query_info2,
764 lsa_io_r_query_info2,
765 NT_STATUS_UNSUCCESSFUL);
769 if (!NT_STATUS_IS_OK(result)) {
773 /* Return output parameters */
775 ZERO_STRUCTP(domain_guid);
777 if (domain_name && r.ctr.info.id12.hdr_nb_dom_name.buffer) {
778 *domain_name = unistr2_tdup(mem_ctx,
782 return NT_STATUS_NO_MEMORY;
785 if (dns_name && r.ctr.info.id12.hdr_dns_dom_name.buffer) {
786 *dns_name = unistr2_tdup(mem_ctx,
790 return NT_STATUS_NO_MEMORY;
793 if (forest_name && r.ctr.info.id12.hdr_forest_name.buffer) {
794 *forest_name = unistr2_tdup(mem_ctx,
798 return NT_STATUS_NO_MEMORY;
803 *domain_guid = TALLOC_P(mem_ctx, struct GUID);
805 return NT_STATUS_NO_MEMORY;
808 &r.ctr.info.id12.dom_guid,
809 sizeof(struct GUID));
812 if (domain_sid && r.ctr.info.id12.ptr_dom_sid != 0) {
813 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
815 return NT_STATUS_NO_MEMORY;
817 sid_copy(*domain_sid,
818 &r.ctr.info.id12.dom_sid.sid);
826 NTSTATUS rpccli_lsa_set_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
827 POLICY_HND *pol, uint16 info_class,
830 prs_struct qbuf, rbuf;
838 init_q_set(&q, pol, info_class, ctr);
840 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_SETINFOPOLICY,
845 NT_STATUS_UNSUCCESSFUL);
849 if (!NT_STATUS_IS_OK(result)) {
853 /* Return output parameters */
862 * Enumerate list of trusted domains
864 * @param cli client state (cli_state) structure of the connection
865 * @param mem_ctx memory context
866 * @param pol opened lsa policy handle
867 * @param enum_ctx enumeration context ie. index of first returned domain entry
868 * @param pref_num_domains preferred max number of entries returned in one response
869 * @param num_domains total number of trusted domains returned by response
870 * @param domain_names returned trusted domain names
871 * @param domain_sids returned trusted domain sids
873 * @return nt status code of response
876 NTSTATUS rpccli_lsa_enum_trust_dom(struct rpc_pipe_client *cli,
878 POLICY_HND *pol, uint32 *enum_ctx,
880 char ***domain_names, DOM_SID **domain_sids)
882 prs_struct qbuf, rbuf;
883 LSA_Q_ENUM_TRUST_DOM in;
884 LSA_R_ENUM_TRUST_DOM out;
891 /* 64k is enough for about 2000 trusted domains */
893 init_q_enum_trust_dom(&in, pol, *enum_ctx, 0x10000);
895 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMTRUSTDOM,
898 lsa_io_q_enum_trust_dom,
899 lsa_io_r_enum_trust_dom,
900 NT_STATUS_UNSUCCESSFUL );
903 /* check for an actual error */
905 if ( !NT_STATUS_IS_OK(out.status)
906 && !NT_STATUS_EQUAL(out.status, NT_STATUS_NO_MORE_ENTRIES)
907 && !NT_STATUS_EQUAL(out.status, STATUS_MORE_ENTRIES) )
912 /* Return output parameters */
914 *num_domains = out.count;
915 *enum_ctx = out.enum_context;
919 /* Allocate memory for trusted domain names and sids */
921 if ( !(*domain_names = TALLOC_ARRAY(mem_ctx, char *, out.count)) ) {
922 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
923 return NT_STATUS_NO_MEMORY;
926 if ( !(*domain_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, out.count)) ) {
927 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
928 return NT_STATUS_NO_MEMORY;
931 /* Copy across names and sids */
933 for (i = 0; i < out.count; i++) {
935 rpcstr_pull( tmp, out.domlist->domains[i].name.string->buffer,
936 sizeof(tmp), out.domlist->domains[i].name.length, 0);
937 (*domain_names)[i] = talloc_strdup(mem_ctx, tmp);
939 sid_copy(&(*domain_sids)[i], &out.domlist->domains[i].sid->sid );
946 /** Enumerate privileges*/
948 NTSTATUS rpccli_lsa_enum_privilege(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
949 POLICY_HND *pol, uint32 *enum_context, uint32 pref_max_length,
950 uint32 *count, char ***privs_name, uint32 **privs_high, uint32 **privs_low)
952 prs_struct qbuf, rbuf;
961 init_q_enum_privs(&q, pol, *enum_context, pref_max_length);
963 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_PRIVS,
968 NT_STATUS_UNSUCCESSFUL);
972 if (!NT_STATUS_IS_OK(result)) {
976 /* Return output parameters */
978 *enum_context = r.enum_context;
982 if (!((*privs_name = TALLOC_ARRAY(mem_ctx, char *, r.count)))) {
983 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
984 result = NT_STATUS_UNSUCCESSFUL;
988 if (!((*privs_high = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
989 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
990 result = NT_STATUS_UNSUCCESSFUL;
994 if (!((*privs_low = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
995 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
996 result = NT_STATUS_UNSUCCESSFUL;
1005 for (i = 0; i < r.count; i++) {
1008 rpcstr_pull_unistr2_fstring( name, &r.privs[i].name);
1010 (*privs_name)[i] = talloc_strdup(mem_ctx, name);
1012 (*privs_high)[i] = r.privs[i].luid_high;
1013 (*privs_low)[i] = r.privs[i].luid_low;
1021 /** Get privilege name */
1023 NTSTATUS rpccli_lsa_get_dispname(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1024 POLICY_HND *pol, const char *name,
1025 uint16 lang_id, uint16 lang_id_sys,
1026 fstring description, uint16 *lang_id_desc)
1028 prs_struct qbuf, rbuf;
1029 LSA_Q_PRIV_GET_DISPNAME q;
1030 LSA_R_PRIV_GET_DISPNAME r;
1036 init_lsa_priv_get_dispname(&q, pol, name, lang_id, lang_id_sys);
1038 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_PRIV_GET_DISPNAME,
1041 lsa_io_q_priv_get_dispname,
1042 lsa_io_r_priv_get_dispname,
1043 NT_STATUS_UNSUCCESSFUL);
1047 if (!NT_STATUS_IS_OK(result)) {
1051 /* Return output parameters */
1053 rpcstr_pull_unistr2_fstring(description , &r.desc);
1054 *lang_id_desc = r.lang_id;
1061 /** Enumerate list of SIDs */
1063 NTSTATUS rpccli_lsa_enum_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1064 POLICY_HND *pol, uint32 *enum_ctx, uint32 pref_max_length,
1065 uint32 *num_sids, DOM_SID **sids)
1067 prs_struct qbuf, rbuf;
1068 LSA_Q_ENUM_ACCOUNTS q;
1069 LSA_R_ENUM_ACCOUNTS r;
1076 init_lsa_q_enum_accounts(&q, pol, *enum_ctx, pref_max_length);
1078 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_ACCOUNTS,
1081 lsa_io_q_enum_accounts,
1082 lsa_io_r_enum_accounts,
1083 NT_STATUS_UNSUCCESSFUL);
1087 if (!NT_STATUS_IS_OK(result)) {
1091 if (r.sids.num_entries==0)
1094 /* Return output parameters */
1096 *sids = TALLOC_ARRAY(mem_ctx, DOM_SID, r.sids.num_entries);
1098 DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
1099 result = NT_STATUS_UNSUCCESSFUL;
1103 /* Copy across names and sids */
1105 for (i = 0; i < r.sids.num_entries; i++) {
1106 sid_copy(&(*sids)[i], &r.sids.sid[i].sid);
1109 *num_sids= r.sids.num_entries;
1110 *enum_ctx = r.enum_context;
1117 /** Create a LSA user handle
1119 * @param cli Handle on an initialised SMB connection
1121 * FIXME: The code is actually identical to open account
1122 * TODO: Check and code what the function should exactly do
1126 NTSTATUS rpccli_lsa_create_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1127 POLICY_HND *dom_pol, DOM_SID *sid, uint32 desired_access,
1128 POLICY_HND *user_pol)
1130 prs_struct qbuf, rbuf;
1131 LSA_Q_CREATEACCOUNT q;
1132 LSA_R_CREATEACCOUNT r;
1138 /* Initialise input parameters */
1140 init_lsa_q_create_account(&q, dom_pol, sid, desired_access);
1142 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_CREATEACCOUNT,
1145 lsa_io_q_create_account,
1146 lsa_io_r_create_account,
1147 NT_STATUS_UNSUCCESSFUL);
1149 /* Return output parameters */
1153 if (NT_STATUS_IS_OK(result)) {
1160 /** Open a LSA user handle
1162 * @param cli Handle on an initialised SMB connection */
1164 NTSTATUS rpccli_lsa_open_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1165 POLICY_HND *dom_pol, DOM_SID *sid, uint32 des_access,
1166 POLICY_HND *user_pol)
1168 prs_struct qbuf, rbuf;
1169 LSA_Q_OPENACCOUNT q;
1170 LSA_R_OPENACCOUNT r;
1176 /* Initialise input parameters */
1178 init_lsa_q_open_account(&q, dom_pol, sid, des_access);
1180 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENACCOUNT,
1183 lsa_io_q_open_account,
1184 lsa_io_r_open_account,
1185 NT_STATUS_UNSUCCESSFUL);
1187 /* Return output parameters */
1191 if (NT_STATUS_IS_OK(result)) {
1198 /** Enumerate user privileges
1200 * @param cli Handle on an initialised SMB connection */
1202 NTSTATUS rpccli_lsa_enum_privsaccount(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1203 POLICY_HND *pol, uint32 *count, LUID_ATTR **set)
1205 prs_struct qbuf, rbuf;
1206 LSA_Q_ENUMPRIVSACCOUNT q;
1207 LSA_R_ENUMPRIVSACCOUNT r;
1214 /* Initialise input parameters */
1216 init_lsa_q_enum_privsaccount(&q, pol);
1218 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMPRIVSACCOUNT,
1221 lsa_io_q_enum_privsaccount,
1222 lsa_io_r_enum_privsaccount,
1223 NT_STATUS_UNSUCCESSFUL);
1225 /* Return output parameters */
1229 if (!NT_STATUS_IS_OK(result)) {
1236 if (!((*set = TALLOC_ARRAY(mem_ctx, LUID_ATTR, r.count)))) {
1237 DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
1238 result = NT_STATUS_UNSUCCESSFUL;
1242 for (i=0; i<r.count; i++) {
1243 (*set)[i].luid.low = r.set.set[i].luid.low;
1244 (*set)[i].luid.high = r.set.set[i].luid.high;
1245 (*set)[i].attr = r.set.set[i].attr;
1254 /** Get a privilege value given its name */
1256 NTSTATUS rpccli_lsa_lookup_priv_value(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1257 POLICY_HND *pol, const char *name, LUID *luid)
1259 prs_struct qbuf, rbuf;
1260 LSA_Q_LOOKUP_PRIV_VALUE q;
1261 LSA_R_LOOKUP_PRIV_VALUE r;
1267 /* Marshall data and send request */
1269 init_lsa_q_lookup_priv_value(&q, pol, name);
1271 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPPRIVVALUE,
1274 lsa_io_q_lookup_priv_value,
1275 lsa_io_r_lookup_priv_value,
1276 NT_STATUS_UNSUCCESSFUL);
1280 if (!NT_STATUS_IS_OK(result)) {
1284 /* Return output parameters */
1286 (*luid).low=r.luid.low;
1287 (*luid).high=r.luid.high;
1294 /** Query LSA security object */
1296 NTSTATUS rpccli_lsa_query_secobj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1297 POLICY_HND *pol, uint32 sec_info,
1298 SEC_DESC_BUF **psdb)
1300 prs_struct qbuf, rbuf;
1301 LSA_Q_QUERY_SEC_OBJ q;
1302 LSA_R_QUERY_SEC_OBJ r;
1308 /* Marshall data and send request */
1310 init_q_query_sec_obj(&q, pol, sec_info);
1312 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYSECOBJ,
1315 lsa_io_q_query_sec_obj,
1316 lsa_io_r_query_sec_obj,
1317 NT_STATUS_UNSUCCESSFUL);
1321 if (!NT_STATUS_IS_OK(result)) {
1325 /* Return output parameters */
1336 /* Enumerate account rights This is similar to enum_privileges but
1337 takes a SID directly, avoiding the open_account call.
1340 NTSTATUS rpccli_lsa_enum_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1341 POLICY_HND *pol, DOM_SID *sid,
1342 uint32 *count, char ***priv_names)
1344 prs_struct qbuf, rbuf;
1345 LSA_Q_ENUM_ACCT_RIGHTS q;
1346 LSA_R_ENUM_ACCT_RIGHTS r;
1349 fstring *privileges;
1355 /* Marshall data and send request */
1356 init_q_enum_acct_rights(&q, pol, 2, sid);
1358 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMACCTRIGHTS,
1361 lsa_io_q_enum_acct_rights,
1362 lsa_io_r_enum_acct_rights,
1363 NT_STATUS_UNSUCCESSFUL);
1367 if (!NT_STATUS_IS_OK(result)) {
1377 privileges = TALLOC_ARRAY( mem_ctx, fstring, *count );
1378 names = TALLOC_ARRAY( mem_ctx, char *, *count );
1380 if ((privileges == NULL) || (names == NULL)) {
1381 TALLOC_FREE(privileges);
1383 return NT_STATUS_NO_MEMORY;
1386 for ( i=0; i<*count; i++ ) {
1387 UNISTR4 *uni_string = &r.rights->strings[i];
1389 if ( !uni_string->string )
1392 rpcstr_pull( privileges[i], uni_string->string->buffer, sizeof(privileges[i]), -1, STR_TERMINATE );
1394 /* now copy to the return array */
1395 names[i] = talloc_strdup( mem_ctx, privileges[i] );
1398 *priv_names = names;
1407 /* add account rights to an account. */
1409 NTSTATUS rpccli_lsa_add_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1410 POLICY_HND *pol, DOM_SID sid,
1411 uint32 count, const char **privs_name)
1413 prs_struct qbuf, rbuf;
1414 LSA_Q_ADD_ACCT_RIGHTS q;
1415 LSA_R_ADD_ACCT_RIGHTS r;
1421 /* Marshall data and send request */
1422 init_q_add_acct_rights(&q, pol, &sid, count, privs_name);
1424 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ADDACCTRIGHTS,
1427 lsa_io_q_add_acct_rights,
1428 lsa_io_r_add_acct_rights,
1429 NT_STATUS_UNSUCCESSFUL);
1433 if (!NT_STATUS_IS_OK(result)) {
1442 /* remove account rights for an account. */
1444 NTSTATUS rpccli_lsa_remove_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1445 POLICY_HND *pol, DOM_SID sid, BOOL removeall,
1446 uint32 count, const char **privs_name)
1448 prs_struct qbuf, rbuf;
1449 LSA_Q_REMOVE_ACCT_RIGHTS q;
1450 LSA_R_REMOVE_ACCT_RIGHTS r;
1456 /* Marshall data and send request */
1457 init_q_remove_acct_rights(&q, pol, &sid, removeall?1:0, count, privs_name);
1459 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_REMOVEACCTRIGHTS,
1462 lsa_io_q_remove_acct_rights,
1463 lsa_io_r_remove_acct_rights,
1464 NT_STATUS_UNSUCCESSFUL);
1468 if (!NT_STATUS_IS_OK(result)) {
1479 /** An example of how to use the routines in this file. Fetch a DOMAIN
1480 sid. Does complete cli setup / teardown anonymously. */
1482 BOOL fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
1484 extern pstring global_myname;
1485 struct cli_state *cli;
1491 if((cli = cli_initialise()) == NULL) {
1492 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
1496 if(!resolve_name( remote_machine, &cli->dest_ip, 0x20)) {
1497 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
1501 if (!cli_connect(cli, remote_machine, &cli->dest_ip)) {
1502 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
1503 machine %s. Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1507 if (!attempt_netbios_session_request(cli, global_myname, remote_machine, &cli->dest_ip)) {
1508 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
1513 cli->protocol = PROTOCOL_NT1;
1515 if (!cli_negprot(cli)) {
1516 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
1517 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1521 if (cli->protocol != PROTOCOL_NT1) {
1522 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
1528 * Do an anonymous session setup.
1531 if (!cli_session_setup(cli, "", "", 0, "", 0, "")) {
1532 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
1533 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1537 if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
1538 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
1543 if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) {
1544 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
1545 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1549 /* Fetch domain sid */
1551 if (!cli_nt_session_open(cli, PI_LSARPC)) {
1552 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
1556 result = cli_lsa_open_policy(cli, cli->mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
1557 if (!NT_STATUS_IS_OK(result)) {
1558 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
1559 nt_errstr(result) ));
1563 result = cli_lsa_query_info_policy(cli, cli->mem_ctx, &lsa_pol, 5, domain, psid);
1564 if (!NT_STATUS_IS_OK(result)) {
1565 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
1566 nt_errstr(result) ));
1580 NTSTATUS rpccli_lsa_open_trusted_domain(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1581 POLICY_HND *pol, DOM_SID *dom_sid, uint32 access_mask,
1582 POLICY_HND *trustdom_pol)
1584 prs_struct qbuf, rbuf;
1585 LSA_Q_OPEN_TRUSTED_DOMAIN q;
1586 LSA_R_OPEN_TRUSTED_DOMAIN r;
1592 /* Initialise input parameters */
1594 init_lsa_q_open_trusted_domain(&q, pol, dom_sid, access_mask);
1596 /* Marshall data and send request */
1598 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOM,
1601 lsa_io_q_open_trusted_domain,
1602 lsa_io_r_open_trusted_domain,
1603 NT_STATUS_UNSUCCESSFUL);
1605 /* Return output parameters */
1609 if (NT_STATUS_IS_OK(result)) {
1610 *trustdom_pol = r.handle;
1616 NTSTATUS rpccli_lsa_query_trusted_domain_info(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1619 LSA_TRUSTED_DOMAIN_INFO **info)
1621 prs_struct qbuf, rbuf;
1622 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO q;
1623 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1624 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1629 /* Marshall data and send request */
1631 init_q_query_trusted_domain_info(&q, pol, info_class);
1633 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFO,
1636 lsa_io_q_query_trusted_domain_info,
1637 lsa_io_r_query_trusted_domain_info,
1638 NT_STATUS_UNSUCCESSFUL);
1642 if (!NT_STATUS_IS_OK(result)) {
1652 NTSTATUS rpccli_lsa_open_trusted_domain_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1653 POLICY_HND *pol, const char *name, uint32 access_mask,
1654 POLICY_HND *trustdom_pol)
1656 prs_struct qbuf, rbuf;
1657 LSA_Q_OPEN_TRUSTED_DOMAIN_BY_NAME q;
1658 LSA_R_OPEN_TRUSTED_DOMAIN_BY_NAME r;
1664 /* Initialise input parameters */
1666 init_lsa_q_open_trusted_domain_by_name(&q, pol, name, access_mask);
1668 /* Marshall data and send request */
1670 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOMBYNAME,
1673 lsa_io_q_open_trusted_domain_by_name,
1674 lsa_io_r_open_trusted_domain_by_name,
1675 NT_STATUS_UNSUCCESSFUL);
1677 /* Return output parameters */
1681 if (NT_STATUS_IS_OK(result)) {
1682 *trustdom_pol = r.handle;
1689 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_sid(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1691 uint16 info_class, DOM_SID *dom_sid,
1692 LSA_TRUSTED_DOMAIN_INFO **info)
1694 prs_struct qbuf, rbuf;
1695 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_SID q;
1696 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1697 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1702 /* Marshall data and send request */
1704 init_q_query_trusted_domain_info_by_sid(&q, pol, info_class, dom_sid);
1706 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYSID,
1709 lsa_io_q_query_trusted_domain_info_by_sid,
1710 lsa_io_r_query_trusted_domain_info,
1711 NT_STATUS_UNSUCCESSFUL);
1715 if (!NT_STATUS_IS_OK(result)) {
1726 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1728 uint16 info_class, const char *domain_name,
1729 LSA_TRUSTED_DOMAIN_INFO **info)
1731 prs_struct qbuf, rbuf;
1732 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_NAME q;
1733 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1734 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1739 /* Marshall data and send request */
1741 init_q_query_trusted_domain_info_by_name(&q, pol, info_class, domain_name);
1743 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYNAME,
1746 lsa_io_q_query_trusted_domain_info_by_name,
1747 lsa_io_r_query_trusted_domain_info,
1748 NT_STATUS_UNSUCCESSFUL);
1752 if (!NT_STATUS_IS_OK(result)) {
1763 NTSTATUS cli_lsa_query_domain_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1765 uint16 info_class, LSA_DOM_INFO_UNION **info)
1767 prs_struct qbuf, rbuf;
1768 LSA_Q_QUERY_DOM_INFO_POLICY q;
1769 LSA_R_QUERY_DOM_INFO_POLICY r;
1770 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1775 /* Marshall data and send request */
1777 init_q_query_dom_info(&q, pol, info_class);
1779 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYDOMINFOPOL,
1782 lsa_io_q_query_dom_info,
1783 lsa_io_r_query_dom_info,
1784 NT_STATUS_UNSUCCESSFUL);
1788 if (!NT_STATUS_IS_OK(result)) {
git.samba.org / ira / wip.git / blob