+ rpcstr_pull_unistr2_fstring(netname, &info1->info_1_str.uni_netname);
+ rpcstr_pull_unistr2_fstring(remark, &info1->info_1_str.uni_remark);
+
+ if (opt_long_list_entries) {
+ d_printf("%-12s %-8.8s %-50s\n",
+ netname, share_type[info1->info_1.type], remark);
+ } else {
+ d_printf("%s\n", netname);
+ }
+
+}
+
+
+static WERROR get_share_info(struct cli_state *cli, TALLOC_CTX *mem_ctx,
+ uint32 level, int argc, const char **argv,
+ SRV_SHARE_INFO_CTR *ctr)
+{
+ WERROR result;
+ SRV_SHARE_INFO info;
+
+ /* no specific share requested, enumerate all */
+ if (argc == 0) {
+
+ ENUM_HND hnd;
+ uint32 preferred_len = 0xffffffff;
+
+ init_enum_hnd(&hnd, 0);
+
+ return cli_srvsvc_net_share_enum(cli, mem_ctx, level, ctr,
+ preferred_len, &hnd);
+ }
+
+ /* request just one share */
+ result = cli_srvsvc_net_share_get_info(cli, mem_ctx, argv[0], level, &info);
+
+ if (!W_ERROR_IS_OK(result))
+ goto done;
+
+ /* construct ctr */
+ ZERO_STRUCTP(ctr);
+
+ ctr->info_level = ctr->switch_value = level;
+ ctr->ptr_share_info = ctr->ptr_entries = 1;
+ ctr->num_entries = ctr->num_entries2 = 1;
+
+ switch (level) {
+ case 1:
+ {
+ char *s;
+ SRV_SHARE_INFO_1 *info1;
+
+ ctr->share.info1 = TALLOC_ARRAY(mem_ctx, SRV_SHARE_INFO_1, 1);
+ info1 = ctr->share.info1;
+
+ memset(ctr->share.info1, 0, sizeof(SRV_SHARE_INFO_1));
+
+ /* Copy pointer crap */
+
+ memcpy(&info1->info_1, &info.share.info1.info_1, sizeof(SH_INFO_1));
+
+ /* Duplicate strings */
+
+ s = unistr2_tdup(mem_ctx, &info.share.info1.info_1_str.uni_netname);
+ if (s)
+ init_unistr2(&info1->info_1_str.uni_netname, s, UNI_STR_TERMINATE);
+
+ s = unistr2_tdup(mem_ctx, &info.share.info1.info_1_str.uni_remark);
+ if (s)
+ init_unistr2(&info1->info_1_str.uni_remark, s, UNI_STR_TERMINATE);
+ }
+ case 2:
+ {
+ char *s;
+ SRV_SHARE_INFO_2 *info2;
+
+ ctr->share.info2 = TALLOC_ARRAY(mem_ctx, SRV_SHARE_INFO_2, 1);
+ info2 = ctr->share.info2;
+
+ memset(ctr->share.info2, 0, sizeof(SRV_SHARE_INFO_2));
+
+ /* Copy pointer crap */
+
+ memcpy(&info2->info_2, &info.share.info2.info_2, sizeof(SH_INFO_2));
+
+ /* Duplicate strings */
+
+ s = unistr2_tdup(mem_ctx, &info.share.info2.info_2_str.uni_netname);
+ if (s)
+ init_unistr2(&info2->info_2_str.uni_netname, s, UNI_STR_TERMINATE);
+
+ s = unistr2_tdup(mem_ctx, &info.share.info2.info_2_str.uni_remark);
+ if (s)
+ init_unistr2(&info2->info_2_str.uni_remark, s, UNI_STR_TERMINATE);
+
+ s = unistr2_tdup(mem_ctx, &info.share.info2.info_2_str.uni_path);
+ if (s)
+ init_unistr2(&info2->info_2_str.uni_path, s, UNI_STR_TERMINATE);
+
+ s = unistr2_tdup(mem_ctx, &info.share.info2.info_2_str.uni_passwd);
+ if (s)
+ init_unistr2(&info2->info_2_str.uni_passwd, s, UNI_STR_TERMINATE);
+ }
+ case 502:
+ {
+ char *s;
+ SRV_SHARE_INFO_502 *info502;
+
+ ctr->share.info502 = TALLOC_ARRAY(mem_ctx, SRV_SHARE_INFO_502, 1);
+ info502 = ctr->share.info502;
+
+ memset(ctr->share.info502, 0, sizeof(SRV_SHARE_INFO_502));
+
+ /* Copy pointer crap */
+
+ memcpy(&info502->info_502, &info.share.info502.info_502, sizeof(SH_INFO_502));
+
+ /* Duplicate strings */
+
+ s = unistr2_tdup(mem_ctx, &info.share.info502.info_502_str.uni_netname);
+ if (s)
+ init_unistr2(&info502->info_502_str.uni_netname, s, UNI_STR_TERMINATE);
+
+ s = unistr2_tdup(mem_ctx, &info.share.info502.info_502_str.uni_remark);
+ if (s)
+ init_unistr2(&info502->info_502_str.uni_remark, s, UNI_STR_TERMINATE);
+
+ s = unistr2_tdup(mem_ctx, &info.share.info502.info_502_str.uni_path);
+ if (s)
+ init_unistr2(&info502->info_502_str.uni_path, s, UNI_STR_TERMINATE);
+
+ s = unistr2_tdup(mem_ctx, &info.share.info502.info_502_str.uni_passwd);
+ if (s)
+ init_unistr2(&info502->info_502_str.uni_passwd, s, UNI_STR_TERMINATE);
+
+ info502->info_502_str.sd = dup_sec_desc(mem_ctx, info.share.info502.info_502_str.sd);
+
+ }
+
+ } /* switch */
+
+done:
+ return result;
+}
+
+/**
+ * List shares on a remote RPC server
+ *
+ * All parameters are provided by the run_rpc_command function, except for
+ * argc, argv which are passes through.
+ *
+ * @param domain_sid The domain sid acquired from the remote server
+ * @param cli A cli_state connected to the server.
+ * @param mem_ctx Talloc context, destoyed on completion of the function.
+ * @param argc Standard main() style argc
+ * @param argv Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return Normal NTSTATUS return.
+ **/
+
+static NTSTATUS
+rpc_share_list_internals(const DOM_SID *domain_sid, const char *domain_name,
+ struct cli_state *cli,
+ TALLOC_CTX *mem_ctx, int argc, const char **argv)
+{
+ SRV_SHARE_INFO_CTR ctr;
+ WERROR result;
+ uint32 i, level = 1;
+
+ result = get_share_info(cli, mem_ctx, level, argc, argv, &ctr);
+ if (!W_ERROR_IS_OK(result))
+ goto done;
+
+ /* Display results */
+
+ if (opt_long_list_entries) {
+ d_printf(
+ "\nEnumerating shared resources (exports) on remote server:\n\n"\
+ "\nShare name Type Description\n"\
+ "---------- ---- -----------\n");
+ }
+ for (i = 0; i < ctr.num_entries; i++)
+ display_share_info_1(&ctr.share.info1[i]);
+ done:
+ return W_ERROR_IS_OK(result) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+}
+
+/***
+ * 'net rpc share list' entrypoint.
+ * @param argc Standard main() style argc
+ * @param argv Standard main() style argv. Initial components are already
+ * stripped
+ **/
+static int rpc_share_list(int argc, const char **argv)
+{
+ return run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_list_internals, argc, argv);
+}
+
+static BOOL check_share_availability(struct cli_state *cli, const char *netname)
+{
+ if (!cli_send_tconX(cli, netname, "A:", "", 0)) {
+ d_printf("skipping [%s]: not a file share.\n", netname);
+ return False;
+ }
+
+ if (!cli_tdis(cli))
+ return False;
+
+ return True;
+}
+
+static BOOL check_share_sanity(struct cli_state *cli, fstring netname, uint32 type)
+{
+ /* only support disk shares */
+ if (! ( type == STYPE_DISKTREE || type == (STYPE_DISKTREE | STYPE_HIDDEN)) ) {
+ printf("share [%s] is not a diskshare (type: %x)\n", netname, type);
+ return False;
+ }
+
+ /* skip builtin shares */
+ /* FIXME: should print$ be added too ? */
+ if (strequal(netname,"IPC$") || strequal(netname,"ADMIN$") ||
+ strequal(netname,"global"))
+ return False;
+
+ if (opt_exclude && in_list(netname, opt_exclude, False)) {
+ printf("excluding [%s]\n", netname);
+ return False;
+ }
+
+ return check_share_availability(cli, netname);
+}
+
+/**
+ * Migrate shares from a remote RPC server to the local RPC srever
+ *
+ * All parameters are provided by the run_rpc_command function, except for
+ * argc, argv which are passes through.
+ *
+ * @param domain_sid The domain sid acquired from the remote server
+ * @param cli A cli_state connected to the server.
+ * @param mem_ctx Talloc context, destoyed on completion of the function.
+ * @param argc Standard main() style argc
+ * @param argv Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return Normal NTSTATUS return.
+ **/
+static NTSTATUS
+rpc_share_migrate_shares_internals(const DOM_SID *domain_sid, const char *domain_name,
+ struct cli_state *cli, TALLOC_CTX *mem_ctx,
+ int argc, const char **argv)
+{
+ WERROR result;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ SRV_SHARE_INFO_CTR ctr_src;
+ uint32 type = STYPE_DISKTREE; /* only allow disk shares to be added */
+ char *password = NULL; /* don't allow a share password */
+ uint32 i;
+ BOOL got_dst_srvsvc_pipe = False;
+ struct cli_state *cli_dst = NULL;
+ uint32 level = 502; /* includes secdesc */
+
+ result = get_share_info(cli, mem_ctx, level, argc, argv, &ctr_src);
+ if (!W_ERROR_IS_OK(result))
+ goto done;
+
+ /* connect destination PI_SRVSVC */
+ nt_status = connect_dst_pipe(&cli_dst, PI_SRVSVC, &got_dst_srvsvc_pipe);
+ if (!NT_STATUS_IS_OK(nt_status))
+ return nt_status;
+
+
+ for (i = 0; i < ctr_src.num_entries; i++) {
+
+ fstring netname = "", remark = "", path = "";
+ /* reset error-code */
+ nt_status = NT_STATUS_UNSUCCESSFUL;
+
+ rpcstr_pull_unistr2_fstring(
+ netname, &ctr_src.share.info502[i].info_502_str.uni_netname);
+ rpcstr_pull_unistr2_fstring(
+ remark, &ctr_src.share.info502[i].info_502_str.uni_remark);
+ rpcstr_pull_unistr2_fstring(
+ path, &ctr_src.share.info502[i].info_502_str.uni_path);
+
+ if (!check_share_sanity(cli, netname, ctr_src.share.info502[i].info_502.type))
+ continue;
+
+ /* finally add the share on the dst server */
+
+ printf("migrating: [%s], path: %s, comment: %s, without share-ACLs\n",
+ netname, path, remark);
+
+ result = cli_srvsvc_net_share_add(cli_dst, mem_ctx, netname, type, remark,
+ ctr_src.share.info502[i].info_502.perms,
+ ctr_src.share.info502[i].info_502.max_uses,
+ ctr_src.share.info502[i].info_502.num_uses,
+ path, password, level,
+ NULL);
+
+ if (W_ERROR_V(result) == W_ERROR_V(WERR_ALREADY_EXISTS)) {
+ printf(" [%s] does already exist\n", netname);
+ continue;
+ }
+
+ if (!W_ERROR_IS_OK(result)) {
+ printf("cannot add share: %s\n", dos_errstr(result));
+ goto done;
+ }
+
+ }
+
+ nt_status = NT_STATUS_OK;
+
+done:
+ if (got_dst_srvsvc_pipe) {
+ cli_nt_session_close(cli_dst);
+ cli_shutdown(cli_dst);
+ }
+
+ return nt_status;
+
+}
+
+/**
+ * Migrate shares from a rpc-server to another
+ *
+ * @param argc Standard main() style argc
+ * @param argv Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return A shell status integer (0 for success)
+ **/
+static int rpc_share_migrate_shares(int argc, const char **argv)
+{
+
+ if (!opt_host) {
+ printf("no server to migrate\n");
+ return -1;
+ }
+
+ return run_rpc_command(NULL, PI_SRVSVC, 0,
+ rpc_share_migrate_shares_internals,
+ argc, argv);
+}
+
+/**
+ * Copy a file/dir
+ *
+ * @param f file_info
+ * @param mask current search mask
+ * @param state arg-pointer
+ *
+ **/
+static void copy_fn(const char *mnt, file_info *f, const char *mask, void *state)
+{
+ static NTSTATUS nt_status;
+ static struct copy_clistate *local_state;
+ static fstring filename, new_mask;
+ fstring dir;
+ char *old_dir;
+
+ local_state = (struct copy_clistate *)state;
+ nt_status = NT_STATUS_UNSUCCESSFUL;
+
+ if (strequal(f->name, ".") || strequal(f->name, ".."))
+ return;
+
+ DEBUG(3,("got mask: %s, name: %s\n", mask, f->name));
+
+ /* DIRECTORY */
+ if (f->mode & aDIR) {
+
+ DEBUG(3,("got dir: %s\n", f->name));
+
+ fstrcpy(dir, local_state->cwd);
+ fstrcat(dir, "\\");
+ fstrcat(dir, f->name);
+
+ switch (net_mode_share)
+ {
+ case NET_MODE_SHARE_MIGRATE:
+ /* create that directory */
+ nt_status = net_copy_file(local_state->mem_ctx,
+ local_state->cli_share_src,
+ local_state->cli_share_dst,
+ dir, dir,
+ opt_acls? True : False,
+ opt_attrs? True : False,
+ opt_timestamps? True : False,
+ False);
+ break;
+ default:
+ d_printf("Unsupported mode %d\n", net_mode_share);
+ return;
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status))
+ printf("could not handle dir %s: %s\n",
+ dir, nt_errstr(nt_status));
+
+ /* search below that directory */
+ fstrcpy(new_mask, dir);
+ fstrcat(new_mask, "\\*");
+
+ old_dir = local_state->cwd;
+ local_state->cwd = dir;
+ if (!sync_files(local_state, new_mask))
+ printf("could not handle files\n");
+ local_state->cwd = old_dir;
+
+ return;
+ }
+
+
+ /* FILE */
+ fstrcpy(filename, local_state->cwd);
+ fstrcat(filename, "\\");
+ fstrcat(filename, f->name);
+
+ DEBUG(3,("got file: %s\n", filename));
+
+ switch (net_mode_share)
+ {
+ case NET_MODE_SHARE_MIGRATE:
+ nt_status = net_copy_file(local_state->mem_ctx,
+ local_state->cli_share_src,
+ local_state->cli_share_dst,
+ filename, filename,
+ opt_acls? True : False,
+ opt_attrs? True : False,
+ opt_timestamps? True: False,
+ True);
+ break;
+ default:
+ d_printf("Unsupported file mode %d\n", net_mode_share);
+ return;
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status))
+ printf("could not handle file %s: %s\n",
+ filename, nt_errstr(nt_status));
+
+}
+
+/**
+ * sync files, can be called recursivly to list files
+ * and then call copy_fn for each file
+ *
+ * @param cp_clistate pointer to the copy_clistate we work with
+ * @param mask the current search mask
+ *
+ * @return Boolean result
+ **/
+BOOL sync_files(struct copy_clistate *cp_clistate, pstring mask)
+{
+
+ DEBUG(3,("calling cli_list with mask: %s\n", mask));
+
+ if (cli_list(cp_clistate->cli_share_src, mask, cp_clistate->attribute, copy_fn, cp_clistate) == -1) {
+ d_printf("listing %s failed with error: %s\n",
+ mask, cli_errstr(cp_clistate->cli_share_src));
+ return False;
+ }
+
+ return True;
+}
+
+
+/**
+ * Set the top level directory permissions before we do any further copies.
+ * Should set up ACL inheritance.
+ **/
+
+BOOL copy_top_level_perms(struct copy_clistate *cp_clistate,
+ const char *sharename)
+{
+ NTSTATUS nt_status;
+
+ switch (net_mode_share) {
+ case NET_MODE_SHARE_MIGRATE:
+ DEBUG(3,("calling net_copy_fileattr for '.' directory in share %s\n", sharename));
+ nt_status = net_copy_fileattr(cp_clistate->mem_ctx,
+ cp_clistate->cli_share_src,
+ cp_clistate->cli_share_dst,
+ "\\", "\\",
+ opt_acls? True : False,
+ opt_attrs? True : False,
+ opt_timestamps? True: False,
+ False);
+ break;
+ default:
+ d_printf("Unsupported mode %d\n", net_mode_share);
+ break;
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ printf("Could handle directory attributes for top level directory of share %s. Error %s\n",
+ sharename, nt_errstr(nt_status));
+ return False;
+ }
+
+ return True;
+}
+
+
+/**
+ * Sync all files inside a remote share to another share (over smb)
+ *
+ * All parameters are provided by the run_rpc_command function, except for
+ * argc, argv which are passes through.
+ *
+ * @param domain_sid The domain sid acquired from the remote server
+ * @param cli A cli_state connected to the server.
+ * @param mem_ctx Talloc context, destoyed on completion of the function.
+ * @param argc Standard main() style argc
+ * @param argv Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return Normal NTSTATUS return.
+ **/
+static NTSTATUS
+rpc_share_migrate_files_internals(const DOM_SID *domain_sid, const char *domain_name,
+ struct cli_state *cli, TALLOC_CTX *mem_ctx,
+ int argc, const char **argv)
+{
+ WERROR result;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ SRV_SHARE_INFO_CTR ctr_src;
+ uint32 i;
+ uint32 level = 502;
+ struct copy_clistate cp_clistate;
+ BOOL got_src_share = False;
+ BOOL got_dst_share = False;
+ pstring mask = "\\*";
+ char *dst = NULL;
+
+ dst = SMB_STRDUP(opt_destination?opt_destination:"127.0.0.1");
+
+ result = get_share_info(cli, mem_ctx, level, argc, argv, &ctr_src);
+
+ if (!W_ERROR_IS_OK(result))
+ goto done;
+
+ for (i = 0; i < ctr_src.num_entries; i++) {
+
+ fstring netname = "";
+
+ rpcstr_pull_unistr2_fstring(
+ netname, &ctr_src.share.info502[i].info_502_str.uni_netname);
+
+ if (!check_share_sanity(cli, netname, ctr_src.share.info502[i].info_502.type))
+ continue;
+
+ /* one might not want to mirror whole discs :) */
+ if (strequal(netname, "print$") || netname[1] == '$') {
+ d_printf("skipping [%s]: builtin/hidden share\n", netname);
+ continue;
+ }
+
+ switch (net_mode_share)
+ {
+ case NET_MODE_SHARE_MIGRATE:
+ printf("syncing");
+ break;
+ default:
+ d_printf("Unsupported mode %d\n", net_mode_share);
+ break;
+ }
+ printf(" [%s] files and directories %s ACLs, %s DOS Attributes %s\n",
+ netname,
+ opt_acls ? "including" : "without",
+ opt_attrs ? "including" : "without",
+ opt_timestamps ? "(preserving timestamps)" : "");
+
+ cp_clistate.mem_ctx = mem_ctx;
+ cp_clistate.cli_share_src = NULL;
+ cp_clistate.cli_share_dst = NULL;
+ cp_clistate.cwd = NULL;
+ cp_clistate.attribute = aSYSTEM | aHIDDEN | aDIR;
+
+ /* open share source */
+ nt_status = connect_to_service(&cp_clistate.cli_share_src,
+ &cli->dest_ip, cli->desthost,
+ netname, "A:");
+ if (!NT_STATUS_IS_OK(nt_status))
+ goto done;
+
+ got_src_share = True;
+
+ if (net_mode_share == NET_MODE_SHARE_MIGRATE) {
+ /* open share destination */
+ nt_status = connect_to_service(&cp_clistate.cli_share_dst,
+ NULL, dst, netname, "A:");
+ if (!NT_STATUS_IS_OK(nt_status))
+ goto done;
+
+ got_dst_share = True;
+ }
+
+ if (!copy_top_level_perms(&cp_clistate, netname)) {
+ d_printf("Could not handle the top level directory permissions for the share: %s\n", netname);
+ nt_status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ if (!sync_files(&cp_clistate, mask)) {
+ d_printf("could not handle files for share: %s\n", netname);
+ nt_status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+ }
+
+ nt_status = NT_STATUS_OK;
+
+done:
+
+ if (got_src_share)
+ cli_shutdown(cp_clistate.cli_share_src);
+
+ if (got_dst_share)
+ cli_shutdown(cp_clistate.cli_share_dst);
+
+ return nt_status;
+
+}
+
+static int rpc_share_migrate_files(int argc, const char **argv)
+{
+
+ if (!opt_host) {
+ printf("no server to migrate\n");
+ return -1;
+ }
+
+ return run_rpc_command(NULL, PI_SRVSVC, 0,
+ rpc_share_migrate_files_internals,
+ argc, argv);
+}
+
+/**
+ * Migrate share-ACLs from a remote RPC server to the local RPC srever
+ *
+ * All parameters are provided by the run_rpc_command function, except for
+ * argc, argv which are passes through.
+ *
+ * @param domain_sid The domain sid acquired from the remote server
+ * @param cli A cli_state connected to the server.
+ * @param mem_ctx Talloc context, destoyed on completion of the function.
+ * @param argc Standard main() style argc
+ * @param argv Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return Normal NTSTATUS return.
+ **/
+static NTSTATUS
+rpc_share_migrate_security_internals(const DOM_SID *domain_sid, const char *domain_name,
+ struct cli_state *cli, TALLOC_CTX *mem_ctx,
+ int argc, const char **argv)
+{
+ WERROR result;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ SRV_SHARE_INFO_CTR ctr_src;
+ SRV_SHARE_INFO info;
+ uint32 i;
+ BOOL got_dst_srvsvc_pipe = False;
+ struct cli_state *cli_dst = NULL;
+ uint32 level = 502; /* includes secdesc */
+
+ result = get_share_info(cli, mem_ctx, level, argc, argv, &ctr_src);
+
+ if (!W_ERROR_IS_OK(result))
+ goto done;
+
+ /* connect destination PI_SRVSVC */
+ nt_status = connect_dst_pipe(&cli_dst, PI_SRVSVC, &got_dst_srvsvc_pipe);
+ if (!NT_STATUS_IS_OK(nt_status))
+ return nt_status;
+
+
+ for (i = 0; i < ctr_src.num_entries; i++) {
+
+ fstring netname = "", remark = "", path = "";
+ /* reset error-code */
+ nt_status = NT_STATUS_UNSUCCESSFUL;
+
+ rpcstr_pull_unistr2_fstring(
+ netname, &ctr_src.share.info502[i].info_502_str.uni_netname);
+ rpcstr_pull_unistr2_fstring(
+ remark, &ctr_src.share.info502[i].info_502_str.uni_remark);
+ rpcstr_pull_unistr2_fstring(
+ path, &ctr_src.share.info502[i].info_502_str.uni_path);
+
+ if (!check_share_sanity(cli, netname, ctr_src.share.info502[i].info_502.type))
+ continue;
+
+ printf("migrating: [%s], path: %s, comment: %s, including share-ACLs\n",
+ netname, path, remark);
+
+ if (opt_verbose)
+ display_sec_desc(ctr_src.share.info502[i].info_502_str.sd);
+
+ /* init info */
+ ZERO_STRUCT(info);
+
+ info.switch_value = level;
+ info.ptr_share_ctr = 1;
+
+ /* FIXME: shouldn't we be able to just set the security descriptor ? */
+ info.share.info502 = ctr_src.share.info502[i];
+
+ /* finally modify the share on the dst server */
+ result = cli_srvsvc_net_share_set_info(cli_dst, mem_ctx, netname, level, &info);
+
+ if (!W_ERROR_IS_OK(result)) {
+ printf("cannot set share-acl: %s\n", dos_errstr(result));
+ goto done;
+ }
+
+ }
+
+ nt_status = NT_STATUS_OK;
+
+done:
+ if (got_dst_srvsvc_pipe) {
+ cli_nt_session_close(cli_dst);
+ cli_shutdown(cli_dst);
+ }
+
+ return nt_status;
+
+}
+
+/**
+ * Migrate share-acls from a rpc-server to another
+ *
+ * @param argc Standard main() style argc
+ * @param argv Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return A shell status integer (0 for success)
+ **/
+static int rpc_share_migrate_security(int argc, const char **argv)
+{
+
+ if (!opt_host) {
+ printf("no server to migrate\n");
+ return -1;
+ }
+
+ return run_rpc_command(NULL, PI_SRVSVC, 0,
+ rpc_share_migrate_security_internals,
+ argc, argv);
+}
+
+/**
+ * Migrate shares (including share-definitions, share-acls and files with acls/attrs)
+ * from one server to another
+ *
+ * @param argc Standard main() style argc
+ * @param argv Standard main() style argv. Initial components are already
+ * stripped
+ *
+ * @return A shell status integer (0 for success)
+ *
+ **/
+static int rpc_share_migrate_all(int argc, const char **argv)
+{
+ int ret;
+
+ if (!opt_host) {
+ printf("no server to migrate\n");
+ return -1;
+ }
+
+ /* order is important. we don't want to be locked out by the share-acl
+ * before copying files - gd */
+
+ ret = run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_migrate_shares_internals, argc, argv);
+ if (ret)
+ return ret;
+
+ ret = run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_migrate_files_internals, argc, argv);
+ if (ret)
+ return ret;
+
+ return run_rpc_command(NULL, PI_SRVSVC, 0, rpc_share_migrate_security_internals, argc, argv);
+}
+
+
+/**
+ * 'net rpc share migrate' entrypoint.
+ * @param argc Standard main() style argc
+ * @param argv Standard main() style argv. Initial components are already
+ * stripped
+ **/
+static int rpc_share_migrate(int argc, const char **argv)
+{
+
+ struct functable func[] = {
+ {"all", rpc_share_migrate_all},
+ {"files", rpc_share_migrate_files},
+ {"help", rpc_share_usage},
+ {"security", rpc_share_migrate_security},
+ {"shares", rpc_share_migrate_shares},
+ {NULL, NULL}
+ };
+
+ net_mode_share = NET_MODE_SHARE_MIGRATE;
+
+ return net_run_function(argc, argv, func, rpc_share_usage);
+}
+
+struct full_alias {
+ DOM_SID sid;
+ uint32 num_members;
+ DOM_SID *members;
+};
+
+static int num_server_aliases;
+static struct full_alias *server_aliases;
+
+/*
+ * Add an alias to the static list.
+ */
+static void push_alias(TALLOC_CTX *mem_ctx, struct full_alias *alias)
+{
+ if (server_aliases == NULL)
+ server_aliases = SMB_MALLOC_ARRAY(struct full_alias, 100);
+
+ server_aliases[num_server_aliases] = *alias;
+ num_server_aliases += 1;
+}
+
+/*
+ * For a specific domain on the server, fetch all the aliases
+ * and their members. Add all of them to the server_aliases.
+ */
+static NTSTATUS
+rpc_fetch_domain_aliases(struct cli_state *cli, TALLOC_CTX *mem_ctx,
+ POLICY_HND *connect_pol,
+ const DOM_SID *domain_sid)
+{
+ uint32 start_idx, max_entries, num_entries, i;
+ struct acct_info *groups;
+ NTSTATUS result;
+ POLICY_HND domain_pol;
+
+ /* Get domain policy handle */
+
+ result = cli_samr_open_domain(cli, mem_ctx, connect_pol,
+ MAXIMUM_ALLOWED_ACCESS,
+ domain_sid, &domain_pol);
+ if (!NT_STATUS_IS_OK(result))
+ return result;
+
+ start_idx = 0;
+ max_entries = 250;
+
+ do {
+ result = cli_samr_enum_als_groups(cli, mem_ctx, &domain_pol,
+ &start_idx, max_entries,
+ &groups, &num_entries);
+
+ for (i = 0; i < num_entries; i++) {
+
+ POLICY_HND alias_pol;
+ struct full_alias alias;
+ DOM_SID *members;
+ int j;
+
+ result = cli_samr_open_alias(cli, mem_ctx, &domain_pol,
+ MAXIMUM_ALLOWED_ACCESS,
+ groups[i].rid,
+ &alias_pol);
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ result = cli_samr_query_aliasmem(cli, mem_ctx,
+ &alias_pol,
+ &alias.num_members,
+ &members);
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ result = cli_samr_close(cli, mem_ctx, &alias_pol);
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ alias.members = NULL;
+
+ if (alias.num_members > 0) {
+ alias.members = SMB_MALLOC_ARRAY(DOM_SID, alias.num_members);
+
+ for (j = 0; j < alias.num_members; j++)
+ sid_copy(&alias.members[j],
+ &members[j]);
+ }
+
+ sid_copy(&alias.sid, domain_sid);
+ sid_append_rid(&alias.sid, groups[i].rid);
+
+ push_alias(mem_ctx, &alias);
+ }
+ } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
+
+ result = NT_STATUS_OK;
+
+ done:
+ cli_samr_close(cli, mem_ctx, &domain_pol);
+
+ return result;
+}
+
+/*
+ * Dump server_aliases as names for debugging purposes.
+ */
+static NTSTATUS
+rpc_aliaslist_dump(const DOM_SID *domain_sid, const char *domain_name,
+ struct cli_state *cli, TALLOC_CTX *mem_ctx,
+ int argc, const char **argv)
+{
+ int i;
+ NTSTATUS result;
+ POLICY_HND lsa_pol;
+
+ result = cli_lsa_open_policy(cli, mem_ctx, True,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &lsa_pol);
+ if (!NT_STATUS_IS_OK(result))
+ return result;
+
+ for (i=0; i<num_server_aliases; i++) {
+ char **names;
+ char **domains;
+ uint32 *types;
+ int j;
+
+ struct full_alias *alias = &server_aliases[i];
+
+ result = cli_lsa_lookup_sids(cli, mem_ctx, &lsa_pol, 1,
+ &alias->sid,
+ &domains, &names, &types);
+ if (!NT_STATUS_IS_OK(result))
+ continue;
+
+ DEBUG(1, ("%s\\%s %d: ", domains[0], names[0], types[0]));
+
+ if (alias->num_members == 0) {
+ DEBUG(1, ("\n"));
+ continue;
+ }
+
+ result = cli_lsa_lookup_sids(cli, mem_ctx, &lsa_pol,
+ alias->num_members,
+ alias->members,
+ &domains, &names, &types);
+
+ if (!NT_STATUS_IS_OK(result) &&
+ !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
+ continue;
+
+ for (j=0; j<alias->num_members; j++)
+ DEBUG(1, ("%s\\%s (%d); ",
+ domains[j] ? domains[j] : "*unknown*",
+ names[j] ? names[j] : "*unknown*",types[j]));
+ DEBUG(1, ("\n"));
+ }
+
+ cli_lsa_close(cli, mem_ctx, &lsa_pol);
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * Fetch a list of all server aliases and their members into
+ * server_aliases.
+ */
+static NTSTATUS
+rpc_aliaslist_internals(const DOM_SID *domain_sid, const char *domain_name,
+ struct cli_state *cli, TALLOC_CTX *mem_ctx,
+ int argc, const char **argv)
+{
+ NTSTATUS result;
+ POLICY_HND connect_pol;
+
+ result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
+ &connect_pol);
+
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ result = rpc_fetch_domain_aliases(cli, mem_ctx, &connect_pol,
+ &global_sid_Builtin);
+
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ result = rpc_fetch_domain_aliases(cli, mem_ctx, &connect_pol,
+ domain_sid);
+
+ cli_samr_close(cli, mem_ctx, &connect_pol);
+ done:
+ return result;
+}
+
+static void init_user_token(NT_USER_TOKEN *token, DOM_SID *user_sid)
+{
+ token->num_sids = 4;
+
+ token->user_sids = SMB_MALLOC_ARRAY(DOM_SID, 4);
+
+ token->user_sids[0] = *user_sid;
+ sid_copy(&token->user_sids[1], &global_sid_World);
+ sid_copy(&token->user_sids[2], &global_sid_Network);
+ sid_copy(&token->user_sids[3], &global_sid_Authenticated_Users);
+}
+
+static void free_user_token(NT_USER_TOKEN *token)
+{
+ SAFE_FREE(token->user_sids);
+}
+
+static BOOL is_sid_in_token(NT_USER_TOKEN *token, DOM_SID *sid)
+{
+ int i;
+
+ for (i=0; i<token->num_sids; i++) {
+ if (sid_compare(sid, &token->user_sids[i]) == 0)
+ return True;
+ }
+ return False;
+}
+
+static void add_sid_to_token(NT_USER_TOKEN *token, DOM_SID *sid)
+{
+ if (is_sid_in_token(token, sid))
+ return;
+
+ token->user_sids = SMB_REALLOC_ARRAY(token->user_sids, DOM_SID, token->num_sids+1);
+
+ sid_copy(&token->user_sids[token->num_sids], sid);
+
+ token->num_sids += 1;
+}
+
+struct user_token {
+ fstring name;
+ NT_USER_TOKEN token;
+};
+
+static void dump_user_token(struct user_token *token)
+{
+ int i;
+
+ d_printf("%s\n", token->name);
+
+ for (i=0; i<token->token.num_sids; i++) {
+ d_printf(" %s\n", sid_string_static(&token->token.user_sids[i]));
+ }
+}
+
+static BOOL is_alias_member(DOM_SID *sid, struct full_alias *alias)
+{
+ int i;
+
+ for (i=0; i<alias->num_members; i++) {
+ if (sid_compare(sid, &alias->members[i]) == 0)
+ return True;
+ }
+
+ return False;
+}
+
+static void collect_sid_memberships(NT_USER_TOKEN *token, DOM_SID sid)
+{
+ int i;
+
+ for (i=0; i<num_server_aliases; i++) {
+ if (is_alias_member(&sid, &server_aliases[i]))
+ add_sid_to_token(token, &server_aliases[i].sid);
+ }
+}
+
+/*
+ * We got a user token with all the SIDs we can know about without asking the
+ * server directly. These are the user and domain group sids. All of these can
+ * be members of aliases. So scan the list of aliases for each of the SIDs and
+ * add them to the token.
+ */
+
+static void collect_alias_memberships(NT_USER_TOKEN *token)
+{
+ int num_global_sids = token->num_sids;
+ int i;
+
+ for (i=0; i<num_global_sids; i++) {
+ collect_sid_memberships(token, token->user_sids[i]);
+ }
+}
+
+static BOOL get_user_sids(const char *domain, const char *user,
+ NT_USER_TOKEN *token)
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ fstring full_name;
+ NSS_STATUS result;
+
+ DOM_SID user_sid;
+
+ int i;
+
+ fstr_sprintf(full_name, "%s%c%s",
+ domain, *lp_winbind_separator(), user);
+
+ /* First let's find out the user sid */
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ fstrcpy(request.data.name.dom_name, domain);
+ fstrcpy(request.data.name.name, user);
+
+ result = winbindd_request_response(WINBINDD_LOOKUPNAME, &request, &response);
+
+ if (result != NSS_STATUS_SUCCESS) {
+ DEBUG(1, ("winbind could not find %s\n", full_name));
+ return False;
+ }
+
+ if (response.data.sid.type != SID_NAME_USER) {
+ DEBUG(1, ("%s is not a user\n", full_name));
+ return False;
+ }
+
+ string_to_sid(&user_sid, response.data.sid.sid);
+
+ init_user_token(token, &user_sid);
+
+ /* And now the groups winbind knows about */
+
+ ZERO_STRUCT(response);
+
+ fstrcpy(request.data.username, full_name);
+
+ result = winbindd_request_response(WINBINDD_GETGROUPS, &request, &response);
+
+ if (result != NSS_STATUS_SUCCESS) {
+ DEBUG(1, ("winbind could not get groups of %s\n", full_name));
+ return False;
+ }
+
+ for (i = 0; i < response.data.num_entries; i++) {
+ gid_t gid = ((gid_t *)response.extra_data)[i];
+ DOM_SID sid;
+
+ struct winbindd_request sidrequest;
+ struct winbindd_response sidresponse;
+
+ ZERO_STRUCT(sidrequest);
+ ZERO_STRUCT(sidresponse);
+
+ sidrequest.data.gid = gid;
+
+ result = winbindd_request_response(WINBINDD_GID_TO_SID,
+ &sidrequest, &sidresponse);
+
+ if (result != NSS_STATUS_SUCCESS) {
+ DEBUG(1, ("winbind could not find SID of gid %d\n",
+ gid));
+ return False;
+ }
+
+ DEBUG(3, (" %s\n", sidresponse.data.sid.sid));
+
+ string_to_sid(&sid, sidresponse.data.sid.sid);
+ add_sid_to_token(token, &sid);
+ }
+
+ SAFE_FREE(response.extra_data);
+
+ return True;
+}
+
+/**
+ * Get a list of all user tokens we want to look at
+ **/
+static BOOL get_user_tokens(int *num_tokens, struct user_token **user_tokens)
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ const char *extra_data;
+ fstring name;
+ int i;
+ struct user_token *result;
+
+ if (lp_winbind_use_default_domain() &&
+ (opt_target_workgroup == NULL)) {
+ d_printf("winbind use default domain = yes set, please "
+ "specify a workgroup\n");
+ return False;
+ }
+
+ /* Send request to winbind daemon */
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ if (winbindd_request_response(WINBINDD_LIST_USERS, &request, &response) !=
+ NSS_STATUS_SUCCESS)
+ return False;
+
+ /* Look through extra data */
+
+ if (!response.extra_data)
+ return False;
+
+ extra_data = (const char *)response.extra_data;
+ *num_tokens = 0;
+
+ while(next_token(&extra_data, name, ",", sizeof(fstring))) {
+ *num_tokens += 1;
+ }
+
+ result = SMB_MALLOC_ARRAY(struct user_token, *num_tokens);
+
+ if (result == NULL) {
+ DEBUG(1, ("Could not malloc sid array\n"));
+ return False;
+ }
+
+ extra_data = (const char *)response.extra_data;
+ i=0;
+
+ while(next_token(&extra_data, name, ",", sizeof(fstring))) {
+
+ fstring domain, user;
+ char *p;
+
+ fstrcpy(result[i].name, name);
+
+ p = strchr(name, *lp_winbind_separator());
+
+ DEBUG(3, ("%s\n", name));
+
+ if (p == NULL) {
+ fstrcpy(domain, opt_target_workgroup);
+ fstrcpy(user, name);
+ } else {
+ *p++ = '\0';
+ fstrcpy(domain, name);
+ strupper_m(domain);
+ fstrcpy(user, p);
+ }
+
+ get_user_sids(domain, user, &(result[i].token));
+ i+=1;
+ }
+
+ SAFE_FREE(response.extra_data);
+
+ *user_tokens = result;
+
+ return True;
+}
+
+static BOOL get_user_tokens_from_file(FILE *f,
+ int *num_tokens,
+ struct user_token **tokens)
+{
+ struct user_token *token = NULL;
+
+ while (!feof(f)) {
+ fstring line;
+
+ if (fgets(line, sizeof(line)-1, f) == NULL) {
+ return True;
+ }
+
+ if (line[strlen(line)-1] == '\n')
+ line[strlen(line)-1] = '\0';
+
+ if (line[0] == ' ') {
+ /* We have a SID */
+
+ DOM_SID sid;
+ string_to_sid(&sid, &line[1]);
+
+ if (token == NULL) {
+ DEBUG(0, ("File does not begin with username"));
+ return False;
+ }
+
+ add_sid_to_token(&token->token, &sid);
+ continue;
+ }
+
+ /* And a new user... */
+
+ *num_tokens += 1;
+ *tokens = SMB_REALLOC_ARRAY(*tokens, struct user_token, *num_tokens);
+ if (*tokens == NULL) {
+ DEBUG(0, ("Could not realloc tokens\n"));
+ return False;
+ }
+
+ token = &((*tokens)[*num_tokens-1]);
+
+ fstrcpy(token->name, line);
+ token->token.num_sids = 0;
+ token->token.user_sids = NULL;
+ continue;
+ }
+
+ return False;
+}
+
+
+/*
+ * Show the list of all users that have access to a share
+ */
+
+static void show_userlist(struct cli_state *cli,
+ TALLOC_CTX *mem_ctx, const char *netname,
+ int num_tokens, struct user_token *tokens)
+{
+ int fnum;
+ SEC_DESC *share_sd = NULL;
+ SEC_DESC *root_sd = NULL;
+ int i;
+ SRV_SHARE_INFO info;
+ WERROR result;
+ uint16 cnum;
+
+ result = cli_srvsvc_net_share_get_info(cli, mem_ctx, netname,
+ 502, &info);
+
+ if (!W_ERROR_IS_OK(result)) {
+ DEBUG(1, ("Coult not query secdesc for share %s\n",
+ netname));
+ return;
+ }
+
+ share_sd = info.share.info502.info_502_str.sd;
+ if (share_sd == NULL) {
+ DEBUG(1, ("Got no secdesc for share %s\n",
+ netname));
+ }
+
+ cnum = cli->cnum;
+
+ if (!cli_send_tconX(cli, netname, "A:", "", 0)) {
+ return;
+ }
+
+ fnum = cli_nt_create(cli, "\\", READ_CONTROL_ACCESS);
+
+ if (fnum != -1) {
+ root_sd = cli_query_secdesc(cli, fnum, mem_ctx);
+ }
+
+ for (i=0; i<num_tokens; i++) {
+ uint32 acc_granted;
+ NTSTATUS status;
+
+ if (share_sd != NULL) {
+ if (!se_access_check(share_sd, &tokens[i].token,
+ 1, &acc_granted, &status)) {
+ DEBUG(1, ("Could not check share_sd for "
+ "user %s\n",
+ tokens[i].name));
+ continue;
+ }
+
+ if (!NT_STATUS_IS_OK(status))
+ continue;
+ }
+
+ if (root_sd == NULL) {
+ d_printf(" %s\n", tokens[i].name);
+ continue;
+ }
+
+ if (!se_access_check(root_sd, &tokens[i].token,
+ 1, &acc_granted, &status)) {
+ DEBUG(1, ("Could not check root_sd for user %s\n",
+ tokens[i].name));
+ continue;
+ }
+
+ if (!NT_STATUS_IS_OK(status))
+ continue;