2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
8 Copyright (C) Michael Adam 2007.
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 /** @defgroup lsa LSA - Local Security Architecture
35 * RPC client routines for the LSA RPC pipe. LSA means "local
36 * security authority", which is half of a password database.
39 /** Open a LSA policy handle
41 * @param cli Handle on an initialised SMB connection */
43 NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
45 bool sec_qos, uint32 des_access,
48 struct lsa_ObjectAttribute attr;
49 struct lsa_QosInfo qos;
50 uint16_t system_name = '\\';
53 init_lsa_sec_qos(&qos, 0xc, 2, 1, 0);
54 init_lsa_obj_attr(&attr,
62 init_lsa_obj_attr(&attr,
71 return rpccli_lsa_OpenPolicy(cli, mem_ctx,
78 /** Open a LSA policy handle
80 * @param cli Handle on an initialised SMB connection
83 NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
84 TALLOC_CTX *mem_ctx, bool sec_qos,
85 uint32 des_access, POLICY_HND *pol)
87 struct lsa_ObjectAttribute attr;
88 struct lsa_QosInfo qos;
89 char *srv_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", cli->cli->desthost);
92 init_lsa_sec_qos(&qos, 0xc, 2, 1, 0);
93 init_lsa_obj_attr(&attr,
101 init_lsa_obj_attr(&attr,
110 return rpccli_lsa_OpenPolicy2(cli, mem_ctx,
117 /* Lookup a list of sids
119 * internal version withOUT memory allocation of the target arrays.
120 * this assumes suffciently sized arrays to store domains, names and types. */
122 static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli,
129 enum lsa_SidType *types)
131 prs_struct qbuf, rbuf;
135 NTSTATUS result = NT_STATUS_OK;
136 TALLOC_CTX *tmp_ctx = NULL;
139 tmp_ctx = talloc_new(mem_ctx);
141 DEBUG(0, ("rpccli_lsa_lookup_sids_noalloc: out of memory!\n"));
142 result = NT_STATUS_UNSUCCESSFUL;
149 init_q_lookup_sids(tmp_ctx, &q, pol, num_sids, sids, 1);
155 CLI_DO_RPC( cli, tmp_ctx, PI_LSARPC, LSA_LOOKUPSIDS,
158 lsa_io_q_lookup_sids,
159 lsa_io_r_lookup_sids,
160 NT_STATUS_UNSUCCESSFUL );
162 DEBUG(10, ("LSA_LOOKUPSIDS returned '%s', mapped count = %d'\n",
163 nt_errstr(r.status), r.mapped_count));
165 if (!NT_STATUS_IS_OK(r.status) &&
166 !NT_STATUS_EQUAL(r.status, NT_STATUS_NONE_MAPPED) &&
167 !NT_STATUS_EQUAL(r.status, STATUS_SOME_UNMAPPED))
169 /* An actual error occured */
174 /* Return output parameters */
176 if (NT_STATUS_EQUAL(r.status, NT_STATUS_NONE_MAPPED) ||
177 (r.mapped_count == 0))
179 for (i = 0; i < num_sids; i++) {
182 (types)[i] = SID_NAME_UNKNOWN;
184 result = NT_STATUS_NONE_MAPPED;
188 for (i = 0; i < num_sids; i++) {
189 fstring name, dom_name;
190 uint32 dom_idx = r.names.name[i].domain_idx;
192 /* Translate optimised name through domain index array */
194 if (dom_idx != 0xffffffff) {
196 rpcstr_pull_unistr2_fstring(
197 dom_name, &ref.ref_dom[dom_idx].uni_dom_name);
198 rpcstr_pull_unistr2_fstring(
199 name, &r.names.uni_name[i]);
201 (names)[i] = talloc_strdup(mem_ctx, name);
202 (domains)[i] = talloc_strdup(mem_ctx, dom_name);
203 (types)[i] = r.names.name[i].sid_name_use;
205 if (((names)[i] == NULL) || ((domains)[i] == NULL)) {
206 DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
207 result = NT_STATUS_UNSUCCESSFUL;
214 (types)[i] = SID_NAME_UNKNOWN;
219 TALLOC_FREE(tmp_ctx);
223 /* Lookup a list of sids
225 * do it the right way: there is a limit (of 20480 for w2k3) entries
226 * returned by this call. when the sids list contains more entries,
227 * empty lists are returned. This version of lsa_lookup_sids passes
228 * the list of sids in hunks of LOOKUP_SIDS_HUNK_SIZE to the lsa call. */
230 /* This constant defines the limit of how many sids to look up
231 * in one call (maximum). the limit from the server side is
232 * at 20480 for win2k3, but we keep it at a save 1000 for now. */
233 #define LOOKUP_SIDS_HUNK_SIZE 1000
235 NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
242 enum lsa_SidType **types)
244 NTSTATUS result = NT_STATUS_OK;
246 int sids_processed = 0;
247 const DOM_SID *hunk_sids = sids;
248 char **hunk_domains = NULL;
249 char **hunk_names = NULL;
250 enum lsa_SidType *hunk_types = NULL;
253 if (!((*domains) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
254 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
255 result = NT_STATUS_NO_MEMORY;
259 if (!((*names) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
260 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
261 result = NT_STATUS_NO_MEMORY;
265 if (!((*types) = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_sids))) {
266 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
267 result = NT_STATUS_NO_MEMORY;
276 sids_left = num_sids;
277 hunk_domains = *domains;
281 while (sids_left > 0) {
283 NTSTATUS hunk_result = NT_STATUS_OK;
285 hunk_num_sids = ((sids_left > LOOKUP_SIDS_HUNK_SIZE)
286 ? LOOKUP_SIDS_HUNK_SIZE
289 DEBUG(10, ("rpccli_lsa_lookup_sids: processing items "
292 sids_processed + hunk_num_sids - 1,
295 hunk_result = rpccli_lsa_lookup_sids_noalloc(cli,
304 if (!NT_STATUS_IS_OK(hunk_result) &&
305 !NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) &&
306 !NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED))
308 /* An actual error occured */
309 result = hunk_result;
313 /* adapt overall result */
314 if (( NT_STATUS_IS_OK(result) &&
315 !NT_STATUS_IS_OK(hunk_result))
317 ( NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) &&
318 !NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED)))
320 result = STATUS_SOME_UNMAPPED;
323 sids_left -= hunk_num_sids;
324 sids_processed += hunk_num_sids; /* only used in DEBUG */
325 hunk_sids += hunk_num_sids;
326 hunk_domains += hunk_num_sids;
327 hunk_names += hunk_num_sids;
328 hunk_types += hunk_num_sids;
334 TALLOC_FREE(*domains);
340 /** Lookup a list of names */
342 NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
344 POLICY_HND *pol, int num_names,
346 const char ***dom_names,
349 enum lsa_SidType **types)
351 prs_struct qbuf, rbuf;
352 LSA_Q_LOOKUP_NAMES q;
353 LSA_R_LOOKUP_NAMES r;
364 init_q_lookup_names(mem_ctx, &q, pol, num_names, names, level);
366 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPNAMES,
369 lsa_io_q_lookup_names,
370 lsa_io_r_lookup_names,
371 NT_STATUS_UNSUCCESSFUL);
375 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
376 NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
378 /* An actual error occured */
383 /* Return output parameters */
385 if (r.mapped_count == 0) {
386 result = NT_STATUS_NONE_MAPPED;
391 if (!((*sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_names)))) {
392 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
393 result = NT_STATUS_NO_MEMORY;
397 if (!((*types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_names)))) {
398 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
399 result = NT_STATUS_NO_MEMORY;
403 if (dom_names != NULL) {
404 *dom_names = TALLOC_ARRAY(mem_ctx, const char *, num_names);
405 if (*dom_names == NULL) {
406 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
407 result = NT_STATUS_NO_MEMORY;
414 if (dom_names != NULL) {
419 for (i = 0; i < num_names; i++) {
420 DOM_RID *t_rids = r.dom_rid;
421 uint32 dom_idx = t_rids[i].rid_idx;
422 uint32 dom_rid = t_rids[i].rid;
423 DOM_SID *sid = &(*sids)[i];
425 /* Translate optimised sid through domain index array */
427 if (dom_idx == 0xffffffff) {
428 /* Nothing to do, this is unknown */
430 (*types)[i] = SID_NAME_UNKNOWN;
434 sid_copy(sid, &ref.ref_dom[dom_idx].ref_dom.sid);
436 if (dom_rid != 0xffffffff) {
437 sid_append_rid(sid, dom_rid);
440 (*types)[i] = t_rids[i].type;
442 if (dom_names == NULL) {
446 (*dom_names)[i] = rpcstr_pull_unistr2_talloc(
447 *dom_names, &ref.ref_dom[dom_idx].uni_dom_name);
455 /** Enumerate list of SIDs */
457 NTSTATUS rpccli_lsa_enum_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
458 POLICY_HND *pol, uint32 *enum_ctx, uint32 pref_max_length,
459 uint32 *num_sids, DOM_SID **sids)
461 prs_struct qbuf, rbuf;
462 LSA_Q_ENUM_ACCOUNTS q;
463 LSA_R_ENUM_ACCOUNTS r;
470 init_lsa_q_enum_accounts(&q, pol, *enum_ctx, pref_max_length);
472 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_ACCOUNTS,
475 lsa_io_q_enum_accounts,
476 lsa_io_r_enum_accounts,
477 NT_STATUS_UNSUCCESSFUL);
481 if (!NT_STATUS_IS_OK(result)) {
485 if (r.sids.num_entries==0)
488 /* Return output parameters */
490 *sids = TALLOC_ARRAY(mem_ctx, DOM_SID, r.sids.num_entries);
492 DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
493 result = NT_STATUS_UNSUCCESSFUL;
497 /* Copy across names and sids */
499 for (i = 0; i < r.sids.num_entries; i++) {
500 sid_copy(&(*sids)[i], &r.sids.sid[i].sid);
503 *num_sids= r.sids.num_entries;
504 *enum_ctx = r.enum_context;
511 /** Enumerate user privileges
513 * @param cli Handle on an initialised SMB connection */
515 NTSTATUS rpccli_lsa_enum_privsaccount(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
516 POLICY_HND *pol, uint32 *count, LUID_ATTR **set)
518 prs_struct qbuf, rbuf;
519 LSA_Q_ENUMPRIVSACCOUNT q;
520 LSA_R_ENUMPRIVSACCOUNT r;
527 /* Initialise input parameters */
529 init_lsa_q_enum_privsaccount(&q, pol);
531 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMPRIVSACCOUNT,
534 lsa_io_q_enum_privsaccount,
535 lsa_io_r_enum_privsaccount,
536 NT_STATUS_UNSUCCESSFUL);
538 /* Return output parameters */
542 if (!NT_STATUS_IS_OK(result)) {
549 if (!((*set = TALLOC_ARRAY(mem_ctx, LUID_ATTR, r.count)))) {
550 DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
551 result = NT_STATUS_UNSUCCESSFUL;
555 for (i=0; i<r.count; i++) {
556 (*set)[i].luid.low = r.set.set[i].luid.low;
557 (*set)[i].luid.high = r.set.set[i].luid.high;
558 (*set)[i].attr = r.set.set[i].attr;
567 /** Get a privilege value given its name */
569 NTSTATUS rpccli_lsa_lookup_priv_value(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
570 POLICY_HND *pol, const char *name, LUID *luid)
572 prs_struct qbuf, rbuf;
573 LSA_Q_LOOKUP_PRIV_VALUE q;
574 LSA_R_LOOKUP_PRIV_VALUE r;
580 /* Marshall data and send request */
582 init_lsa_q_lookup_priv_value(&q, pol, name);
584 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPPRIVVALUE,
587 lsa_io_q_lookup_priv_value,
588 lsa_io_r_lookup_priv_value,
589 NT_STATUS_UNSUCCESSFUL);
593 if (!NT_STATUS_IS_OK(result)) {
597 /* Return output parameters */
599 (*luid).low=r.luid.low;
600 (*luid).high=r.luid.high;
607 /* Enumerate account rights This is similar to enum_privileges but
608 takes a SID directly, avoiding the open_account call.
611 NTSTATUS rpccli_lsa_enum_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
612 POLICY_HND *pol, DOM_SID *sid,
613 uint32 *count, char ***priv_names)
615 prs_struct qbuf, rbuf;
616 LSA_Q_ENUM_ACCT_RIGHTS q;
617 LSA_R_ENUM_ACCT_RIGHTS r;
626 /* Marshall data and send request */
627 init_q_enum_acct_rights(&q, pol, 2, sid);
629 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMACCTRIGHTS,
632 lsa_io_q_enum_acct_rights,
633 lsa_io_r_enum_acct_rights,
634 NT_STATUS_UNSUCCESSFUL);
638 if (!NT_STATUS_IS_OK(result)) {
648 privileges = TALLOC_ARRAY( mem_ctx, fstring, *count );
649 names = TALLOC_ARRAY( mem_ctx, char *, *count );
651 if ((privileges == NULL) || (names == NULL)) {
652 TALLOC_FREE(privileges);
654 return NT_STATUS_NO_MEMORY;
657 for ( i=0; i<*count; i++ ) {
658 UNISTR4 *uni_string = &r.rights->strings[i];
660 if ( !uni_string->string )
663 rpcstr_pull( privileges[i], uni_string->string->buffer, sizeof(privileges[i]), -1, STR_TERMINATE );
665 /* now copy to the return array */
666 names[i] = talloc_strdup( mem_ctx, privileges[i] );
678 /* add account rights to an account. */
680 NTSTATUS rpccli_lsa_add_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
681 POLICY_HND *pol, DOM_SID sid,
682 uint32 count, const char **privs_name)
684 prs_struct qbuf, rbuf;
685 LSA_Q_ADD_ACCT_RIGHTS q;
686 LSA_R_ADD_ACCT_RIGHTS r;
692 /* Marshall data and send request */
693 init_q_add_acct_rights(&q, pol, &sid, count, privs_name);
695 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ADDACCTRIGHTS,
698 lsa_io_q_add_acct_rights,
699 lsa_io_r_add_acct_rights,
700 NT_STATUS_UNSUCCESSFUL);
704 if (!NT_STATUS_IS_OK(result)) {
713 /* remove account rights for an account. */
715 NTSTATUS rpccli_lsa_remove_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
716 POLICY_HND *pol, DOM_SID sid, bool removeall,
717 uint32 count, const char **privs_name)
719 prs_struct qbuf, rbuf;
720 LSA_Q_REMOVE_ACCT_RIGHTS q;
721 LSA_R_REMOVE_ACCT_RIGHTS r;
727 /* Marshall data and send request */
728 init_q_remove_acct_rights(&q, pol, &sid, removeall?1:0, count, privs_name);
730 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_REMOVEACCTRIGHTS,
733 lsa_io_q_remove_acct_rights,
734 lsa_io_r_remove_acct_rights,
735 NT_STATUS_UNSUCCESSFUL);
739 if (!NT_STATUS_IS_OK(result)) {
750 /** An example of how to use the routines in this file. Fetch a DOMAIN
751 sid. Does complete cli setup / teardown anonymously. */
753 bool fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
755 struct cli_state cli;
761 if(cli_initialise(&cli) == False) {
762 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
766 if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
767 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
771 if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
772 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
773 machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
777 if (!attempt_netbios_session_request(&cli, global_myname(), remote_machine, &cli.dest_ip)) {
778 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
783 cli.protocol = PROTOCOL_NT1;
785 if (!cli_negprot(&cli)) {
786 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
787 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
791 if (cli.protocol != PROTOCOL_NT1) {
792 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
798 * Do an anonymous session setup.
801 if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
802 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
803 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
807 if (!(cli.sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
808 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
813 if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
814 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
815 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
819 /* Fetch domain sid */
821 if (!cli_nt_session_open(&cli, PI_LSARPC)) {
822 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
826 result = cli_lsa_open_policy(&cli, cli.mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
827 if (!NT_STATUS_IS_OK(result)) {
828 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
829 nt_errstr(result) ));
833 result = cli_lsa_query_info_policy(&cli, cli.mem_ctx, &lsa_pol, 5, domain, psid);
834 if (!NT_STATUS_IS_OK(result)) {
835 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
836 nt_errstr(result) ));