2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
8 Copyright (C) Michael Adam 2007.
9 Copyright (C) Guenther Deschner 2008.
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "rpc_client/rpc_client.h"
27 #include "../librpc/gen_ndr/ndr_lsa_c.h"
28 #include "rpc_client/cli_lsarpc.h"
29 #include "rpc_client/init_lsa.h"
30 #include "../libcli/security/security.h"
33 /** @defgroup lsa LSA - Local Security Architecture
42 * RPC client routines for the LSA RPC pipe. LSA means "local
43 * security authority", which is half of a password database.
46 NTSTATUS dcerpc_lsa_open_policy(struct dcerpc_binding_handle *h,
50 struct policy_handle *pol,
53 struct lsa_ObjectAttribute attr = { .len = 0x18, };
54 struct lsa_QosInfo qos;
55 uint16_t system_name = '\\';
59 qos.impersonation_level = 2;
61 qos.effective_only = 0;
66 return dcerpc_lsa_OpenPolicy(h,
75 /** Open a LSA policy handle
77 * @param cli Handle on an initialised SMB connection */
79 NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
81 bool sec_qos, uint32_t des_access,
82 struct policy_handle *pol)
85 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
87 status = dcerpc_lsa_open_policy(cli->binding_handle,
93 if (!NT_STATUS_IS_OK(status)) {
100 NTSTATUS dcerpc_lsa_open_policy2(struct dcerpc_binding_handle *h,
102 const char *srv_name_slash,
105 struct policy_handle *pol,
108 struct lsa_ObjectAttribute attr = { .len = 0x18, };
109 struct lsa_QosInfo qos;
113 qos.impersonation_level = 2;
114 qos.context_mode = 1;
115 qos.effective_only = 0;
120 return dcerpc_lsa_OpenPolicy2(h,
129 /** Open a LSA policy handle
131 * @param cli Handle on an initialised SMB connection
134 NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
135 TALLOC_CTX *mem_ctx, bool sec_qos,
136 uint32_t des_access, struct policy_handle *pol)
139 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
141 status = dcerpc_lsa_open_policy2(cli->binding_handle,
148 if (!NT_STATUS_IS_OK(status)) {
155 /* Lookup a list of sids
157 * internal version withOUT memory allocation of the target arrays.
158 * this assumes sufficiently sized arrays to store domains, names and types. */
160 static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h,
162 TALLOC_CTX *domains_ctx,
163 TALLOC_CTX *names_ctx,
164 struct policy_handle *pol,
166 const struct dom_sid *sids,
167 enum lsa_LookupNamesLevel level,
170 enum lsa_SidType *types,
171 bool use_lookupsids3,
175 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
176 struct lsa_SidArray sid_array;
177 struct lsa_RefDomainList *ref_domains = NULL;
178 struct lsa_TransNameArray lsa_names = { .count = 0, };
182 sid_array.num_sids = num_sids;
183 sid_array.sids = talloc_array(mem_ctx, struct lsa_SidPtr, num_sids);
184 if (sid_array.sids == NULL) {
185 return NT_STATUS_NO_MEMORY;
188 for (i = 0; i<num_sids; i++) {
189 sid_array.sids[i].sid = dom_sid_dup(mem_ctx, &sids[i]);
190 if (!sid_array.sids[i].sid) {
191 return NT_STATUS_NO_MEMORY;
195 if (use_lookupsids3) {
196 struct lsa_TransNameArray2 lsa_names2;
199 ZERO_STRUCT(lsa_names2);
201 status = dcerpc_lsa_LookupSids3(h,
208 LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES,
209 LSA_CLIENT_REVISION_2,
211 if (!NT_STATUS_IS_OK(status)) {
215 if (!NT_STATUS_LOOKUP_ERR(result)) {
216 lsa_names.count = lsa_names2.count;
217 lsa_names.names = talloc_array(mem_ctx,
218 struct lsa_TranslatedName,
220 if (lsa_names.names == NULL) {
221 return NT_STATUS_NO_MEMORY;
223 for (n=0; n < lsa_names.count; n++) {
224 lsa_names.names[n].sid_type = lsa_names2.names[n].sid_type;
225 lsa_names.names[n].name = lsa_names2.names[n].name;
226 lsa_names.names[n].sid_index = lsa_names2.names[n].sid_index;
231 status = dcerpc_lsa_LookupSids(h,
242 DEBUG(10, ("LSA_LOOKUPSIDS returned status: '%s', result: '%s', "
243 "mapped count = %d'\n",
244 nt_errstr(status), nt_errstr(result), count));
246 if (!NT_STATUS_IS_OK(status)) {
250 if (NT_STATUS_LOOKUP_ERR(result)) {
255 /* Return output parameters */
256 if (NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) ||
259 for (i = 0; i < num_sids; i++) {
262 (types)[i] = SID_NAME_UNKNOWN;
264 *presult = NT_STATUS_NONE_MAPPED;
268 for (i = 0; i < num_sids; i++) {
269 const char *name, *dom_name;
272 if (i >= lsa_names.count) {
273 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
277 dom_idx = lsa_names.names[i].sid_index;
279 /* Translate optimised name through domain index array */
281 if (dom_idx != 0xffffffff) {
282 if (ref_domains == NULL) {
283 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
286 if (dom_idx >= ref_domains->count) {
287 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
291 dom_name = ref_domains->domains[dom_idx].name.string;
292 name = lsa_names.names[i].name.string;
295 (names)[i] = talloc_strdup(names_ctx, name);
296 if ((names)[i] == NULL) {
297 DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
298 *presult = NT_STATUS_UNSUCCESSFUL;
304 domains[i] = talloc_strdup(domains_ctx,
305 dom_name ? dom_name : "");
306 (types)[i] = lsa_names.names[i].sid_type;
307 if ((domains)[i] == NULL) {
308 DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
309 *presult = NT_STATUS_UNSUCCESSFUL;
316 (types)[i] = SID_NAME_UNKNOWN;
320 *presult = NT_STATUS_OK;
324 /* Lookup a list of sids
326 * do it the right way: there is a limit (of 20480 for w2k3) entries
327 * returned by this call. when the sids list contains more entries,
328 * empty lists are returned. This version of lsa_lookup_sids passes
329 * the list of sids in hunks of LOOKUP_SIDS_HUNK_SIZE to the lsa call. */
331 /* This constant defines the limit of how many sids to look up
332 * in one call (maximum). the limit from the server side is
333 * at 20480 for win2k3, but we keep it at a save 1000 for now. */
334 #define LOOKUP_SIDS_HUNK_SIZE 1000
336 NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h,
338 struct policy_handle *pol,
340 const struct dom_sid *sids,
341 enum lsa_LookupNamesLevel level,
344 enum lsa_SidType **ptypes,
345 bool use_lookupsids3,
348 NTSTATUS status = NT_STATUS_OK;
349 NTSTATUS result = NT_STATUS_OK;
351 int sids_processed = 0;
352 const struct dom_sid *hunk_sids = sids;
355 enum lsa_SidType *hunk_types;
356 char **domains = NULL;
358 enum lsa_SidType *types = NULL;
359 bool have_mapped = false;
360 bool have_unmapped = false;
363 domains = talloc_zero_array(mem_ctx, char *, num_sids);
364 if (domains == NULL) {
365 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
366 status = NT_STATUS_NO_MEMORY;
370 names = talloc_zero_array(mem_ctx, char *, num_sids);
372 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
373 status = NT_STATUS_NO_MEMORY;
377 types = talloc_zero_array(mem_ctx, enum lsa_SidType, num_sids);
379 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
380 status = NT_STATUS_NO_MEMORY;
385 sids_left = num_sids;
386 hunk_domains = domains;
390 while (sids_left > 0) {
392 NTSTATUS hunk_result = NT_STATUS_UNSUCCESSFUL;
394 hunk_num_sids = ((sids_left > LOOKUP_SIDS_HUNK_SIZE)
395 ? LOOKUP_SIDS_HUNK_SIZE
398 DEBUG(10, ("rpccli_lsa_lookup_sids: processing items "
401 sids_processed + hunk_num_sids - 1,
404 status = dcerpc_lsa_lookup_sids_noalloc(h,
406 (TALLOC_CTX *)domains,
417 if (!NT_STATUS_IS_OK(status)) {
421 if (!NT_STATUS_IS_OK(hunk_result) &&
422 !NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) &&
423 !NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED))
425 /* An actual error occurred */
426 *presult = hunk_result;
430 if (NT_STATUS_IS_OK(hunk_result)) {
433 if (NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED)) {
434 have_unmapped = true;
436 if (NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED)) {
438 for (i=0; i<hunk_num_sids; i++) {
439 if (hunk_types[i] == SID_NAME_UNKNOWN) {
440 have_unmapped = true;
447 sids_left -= hunk_num_sids;
448 sids_processed += hunk_num_sids;
449 hunk_sids += hunk_num_sids;
450 hunk_domains += hunk_num_sids;
451 hunk_names += hunk_num_sids;
452 hunk_types += hunk_num_sids;
460 result = NT_STATUS_NONE_MAPPED;
463 result = STATUS_SOME_UNMAPPED;
470 TALLOC_FREE(domains);
477 NTSTATUS dcerpc_lsa_lookup_sids(struct dcerpc_binding_handle *h,
479 struct policy_handle *pol,
481 const struct dom_sid *sids,
484 enum lsa_SidType **ptypes,
487 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
488 return dcerpc_lsa_lookup_sids_generic(h,
501 NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
503 struct policy_handle *pol,
505 const struct dom_sid *sids,
508 enum lsa_SidType **ptypes)
511 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
512 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
514 status = dcerpc_lsa_lookup_sids_generic(cli->binding_handle,
525 if (!NT_STATUS_IS_OK(status)) {
532 NTSTATUS dcerpc_lsa_lookup_sids3(struct dcerpc_binding_handle *h,
534 struct policy_handle *pol,
536 const struct dom_sid *sids,
539 enum lsa_SidType **ptypes,
542 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
543 return dcerpc_lsa_lookup_sids_generic(h,
556 /** Lookup a list of names */
558 NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h,
560 struct policy_handle *pol,
563 const char ***dom_names,
564 enum lsa_LookupNamesLevel level,
565 struct dom_sid **sids,
566 enum lsa_SidType **types,
567 bool use_lookupnames4,
571 struct lsa_String *lsa_names = NULL;
572 struct lsa_RefDomainList *domains = NULL;
573 struct lsa_TransSidArray sid_array = { .count = 0, };
574 struct lsa_TransSidArray3 sid_array3 = { .count = 0, };
578 lsa_names = talloc_array(mem_ctx, struct lsa_String, num_names);
579 if (lsa_names == NULL) {
580 return NT_STATUS_NO_MEMORY;
583 for (i = 0; i < num_names; i++) {
584 init_lsa_String(&lsa_names[i], names[i]);
587 if (use_lookupnames4) {
588 status = dcerpc_lsa_LookupNames4(h,
596 LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES,
597 LSA_CLIENT_REVISION_2,
600 status = dcerpc_lsa_LookupNames(h,
611 if (!NT_STATUS_IS_OK(status)) {
615 if (!NT_STATUS_IS_OK(*presult) &&
616 !NT_STATUS_EQUAL(*presult, STATUS_SOME_UNMAPPED)) {
617 /* An actual error occurred */
621 /* Return output parameters */
623 *presult = NT_STATUS_NONE_MAPPED;
628 *sids = talloc_zero_array(mem_ctx, struct dom_sid, num_names);
630 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
631 *presult = NT_STATUS_NO_MEMORY;
635 *types = talloc_zero_array(mem_ctx, enum lsa_SidType, num_names);
636 if (*types == NULL) {
637 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
638 *presult = NT_STATUS_NO_MEMORY;
642 if (dom_names != NULL) {
643 *dom_names = talloc_zero_array(mem_ctx, const char *, num_names);
644 if (*dom_names == NULL) {
645 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
646 *presult = NT_STATUS_NO_MEMORY;
653 if (dom_names != NULL) {
658 for (i = 0; i < num_names; i++) {
660 struct dom_sid *sid = &(*sids)[i];
662 if (use_lookupnames4) {
663 if (i >= sid_array3.count) {
664 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
668 dom_idx = sid_array3.sids[i].sid_index;
669 (*types)[i] = sid_array3.sids[i].sid_type;
671 if (i >= sid_array.count) {
672 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
676 dom_idx = sid_array.sids[i].sid_index;
677 (*types)[i] = sid_array.sids[i].sid_type;
680 /* Translate optimised sid through domain index array */
682 if (dom_idx == 0xffffffff) {
683 /* Nothing to do, this is unknown */
685 (*types)[i] = SID_NAME_UNKNOWN;
688 if (domains == NULL) {
689 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
692 if (dom_idx >= domains->count) {
693 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
697 if (use_lookupnames4) {
698 sid_copy(sid, sid_array3.sids[i].sid);
700 sid_copy(sid, domains->domains[dom_idx].sid);
702 if (sid_array.sids[i].rid != 0xffffffff) {
703 sid_append_rid(sid, sid_array.sids[i].rid);
707 if (dom_names == NULL) {
711 (*dom_names)[i] = domains->domains[dom_idx].name.string;
718 NTSTATUS dcerpc_lsa_lookup_names(struct dcerpc_binding_handle *h,
720 struct policy_handle *pol,
723 const char ***dom_names,
724 enum lsa_LookupNamesLevel level,
725 struct dom_sid **sids,
726 enum lsa_SidType **types,
729 return dcerpc_lsa_lookup_names_generic(h,
742 NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
744 struct policy_handle *pol,
747 const char ***dom_names,
749 struct dom_sid **sids,
750 enum lsa_SidType **types)
753 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
755 status = dcerpc_lsa_lookup_names(cli->binding_handle,
765 if (!NT_STATUS_IS_OK(status)) {
772 NTSTATUS dcerpc_lsa_lookup_names4(struct dcerpc_binding_handle *h,
774 struct policy_handle *pol,
777 const char ***dom_names,
778 enum lsa_LookupNamesLevel level,
779 struct dom_sid **sids,
780 enum lsa_SidType **types,
783 return dcerpc_lsa_lookup_names_generic(h,