2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
8 Copyright (C) Michael Adam 2007.
9 Copyright (C) Guenther Deschner 2008.
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "rpc_client/rpc_client.h"
27 #include "../librpc/gen_ndr/ndr_lsa_c.h"
28 #include "rpc_client/cli_lsarpc.h"
29 #include "rpc_client/init_lsa.h"
30 #include "../libcli/security/security.h"
32 /** @defgroup lsa LSA - Local Security Architecture
41 * RPC client routines for the LSA RPC pipe. LSA means "local
42 * security authority", which is half of a password database.
45 NTSTATUS dcerpc_lsa_open_policy(struct dcerpc_binding_handle *h,
49 struct policy_handle *pol,
52 struct lsa_ObjectAttribute attr;
53 struct lsa_QosInfo qos;
54 uint16_t system_name = '\\';
62 qos.impersonation_level = 2;
64 qos.effective_only = 0;
69 return dcerpc_lsa_OpenPolicy(h,
78 /** Open a LSA policy handle
80 * @param cli Handle on an initialised SMB connection */
82 NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
84 bool sec_qos, uint32_t des_access,
85 struct policy_handle *pol)
88 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
90 status = dcerpc_lsa_open_policy(cli->binding_handle,
96 if (!NT_STATUS_IS_OK(status)) {
103 NTSTATUS dcerpc_lsa_open_policy2(struct dcerpc_binding_handle *h,
105 const char *srv_name_slash,
108 struct policy_handle *pol,
111 struct lsa_ObjectAttribute attr;
112 struct lsa_QosInfo qos;
120 qos.impersonation_level = 2;
121 qos.context_mode = 1;
122 qos.effective_only = 0;
127 return dcerpc_lsa_OpenPolicy2(h,
136 /** Open a LSA policy handle
138 * @param cli Handle on an initialised SMB connection
141 NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
142 TALLOC_CTX *mem_ctx, bool sec_qos,
143 uint32_t des_access, struct policy_handle *pol)
146 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
148 status = dcerpc_lsa_open_policy2(cli->binding_handle,
155 if (!NT_STATUS_IS_OK(status)) {
162 /* Lookup a list of sids
164 * internal version withOUT memory allocation of the target arrays.
165 * this assumes sufficiently sized arrays to store domains, names and types. */
167 static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h,
169 TALLOC_CTX *domains_ctx,
170 TALLOC_CTX *names_ctx,
171 struct policy_handle *pol,
173 const struct dom_sid *sids,
176 enum lsa_SidType *types,
177 bool use_lookupsids3,
180 NTSTATUS status = NT_STATUS_OK;
181 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
182 struct lsa_SidArray sid_array;
183 struct lsa_RefDomainList *ref_domains = NULL;
184 struct lsa_TransNameArray lsa_names;
185 enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
189 ZERO_STRUCT(lsa_names);
191 sid_array.num_sids = num_sids;
192 sid_array.sids = talloc_array(mem_ctx, struct lsa_SidPtr, num_sids);
193 if (sid_array.sids == NULL) {
194 return NT_STATUS_NO_MEMORY;
197 for (i = 0; i<num_sids; i++) {
198 sid_array.sids[i].sid = dom_sid_dup(mem_ctx, &sids[i]);
199 if (!sid_array.sids[i].sid) {
200 return NT_STATUS_NO_MEMORY;
204 if (use_lookupsids3) {
205 struct lsa_TransNameArray2 lsa_names2;
208 ZERO_STRUCT(lsa_names2);
210 status = dcerpc_lsa_LookupSids3(h,
217 LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES,
218 LSA_CLIENT_REVISION_2,
220 if (!NT_STATUS_IS_OK(status)) {
224 if(!NT_STATUS_IS_ERR(result)) {
225 lsa_names.count = lsa_names2.count;
226 lsa_names.names = talloc_array(mem_ctx,
227 struct lsa_TranslatedName,
229 if (lsa_names.names == NULL) {
230 return NT_STATUS_NO_MEMORY;
232 for (n=0; n < lsa_names.count; n++) {
233 lsa_names.names[n].sid_type = lsa_names2.names[n].sid_type;
234 lsa_names.names[n].name = lsa_names2.names[n].name;
235 lsa_names.names[n].sid_index = lsa_names2.names[n].sid_index;
240 status = dcerpc_lsa_LookupSids(h,
251 DEBUG(10, ("LSA_LOOKUPSIDS returned status: '%s', result: '%s', "
252 "mapped count = %d'\n",
253 nt_errstr(status), nt_errstr(result), count));
255 if (!NT_STATUS_IS_OK(status)) {
259 if (!NT_STATUS_IS_OK(result) &&
260 !NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) &&
261 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
267 /* Return output parameters */
268 if (NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) ||
271 for (i = 0; i < num_sids; i++) {
274 (types)[i] = SID_NAME_UNKNOWN;
276 *presult = NT_STATUS_NONE_MAPPED;
280 for (i = 0; i < num_sids; i++) {
281 const char *name, *dom_name;
284 if (i >= lsa_names.count) {
285 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
289 dom_idx = lsa_names.names[i].sid_index;
291 /* Translate optimised name through domain index array */
293 if (dom_idx != 0xffffffff) {
294 if (ref_domains == NULL) {
295 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
298 if (dom_idx >= ref_domains->count) {
299 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
303 dom_name = ref_domains->domains[dom_idx].name.string;
304 name = lsa_names.names[i].name.string;
307 (names)[i] = talloc_strdup(names_ctx, name);
308 if ((names)[i] == NULL) {
309 DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
310 *presult = NT_STATUS_UNSUCCESSFUL;
316 domains[i] = talloc_strdup(domains_ctx,
317 dom_name ? dom_name : "");
318 (types)[i] = lsa_names.names[i].sid_type;
319 if ((domains)[i] == NULL) {
320 DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
321 *presult = NT_STATUS_UNSUCCESSFUL;
328 (types)[i] = SID_NAME_UNKNOWN;
332 *presult = NT_STATUS_OK;
336 /* Lookup a list of sids
338 * do it the right way: there is a limit (of 20480 for w2k3) entries
339 * returned by this call. when the sids list contains more entries,
340 * empty lists are returned. This version of lsa_lookup_sids passes
341 * the list of sids in hunks of LOOKUP_SIDS_HUNK_SIZE to the lsa call. */
343 /* This constant defines the limit of how many sids to look up
344 * in one call (maximum). the limit from the server side is
345 * at 20480 for win2k3, but we keep it at a save 1000 for now. */
346 #define LOOKUP_SIDS_HUNK_SIZE 1000
348 NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h,
350 struct policy_handle *pol,
352 const struct dom_sid *sids,
355 enum lsa_SidType **ptypes,
356 bool use_lookupsids3,
359 NTSTATUS status = NT_STATUS_OK;
360 NTSTATUS result = NT_STATUS_OK;
362 int sids_processed = 0;
363 const struct dom_sid *hunk_sids = sids;
366 enum lsa_SidType *hunk_types;
367 char **domains = NULL;
369 enum lsa_SidType *types = NULL;
370 bool have_mapped = false;
371 bool have_unmapped = false;
374 if (!(domains = talloc_array(mem_ctx, char *, num_sids))) {
375 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
376 status = NT_STATUS_NO_MEMORY;
380 if (!(names = talloc_array(mem_ctx, char *, num_sids))) {
381 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
382 status = NT_STATUS_NO_MEMORY;
386 if (!(types = talloc_array(mem_ctx, enum lsa_SidType, num_sids))) {
387 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
388 status = NT_STATUS_NO_MEMORY;
393 sids_left = num_sids;
394 hunk_domains = domains;
398 while (sids_left > 0) {
400 NTSTATUS hunk_result = NT_STATUS_UNSUCCESSFUL;
402 hunk_num_sids = ((sids_left > LOOKUP_SIDS_HUNK_SIZE)
403 ? LOOKUP_SIDS_HUNK_SIZE
406 DEBUG(10, ("rpccli_lsa_lookup_sids: processing items "
409 sids_processed + hunk_num_sids - 1,
412 status = dcerpc_lsa_lookup_sids_noalloc(h,
414 (TALLOC_CTX *)domains,
424 if (!NT_STATUS_IS_OK(status)) {
428 if (!NT_STATUS_IS_OK(hunk_result) &&
429 !NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) &&
430 !NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED))
432 /* An actual error occured */
433 *presult = hunk_result;
437 if (NT_STATUS_IS_OK(hunk_result)) {
440 if (NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED)) {
441 have_unmapped = true;
443 if (NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED)) {
445 for (i=0; i<hunk_num_sids; i++) {
446 if (hunk_types[i] == SID_NAME_UNKNOWN) {
447 have_unmapped = true;
454 sids_left -= hunk_num_sids;
455 sids_processed += hunk_num_sids;
456 hunk_sids += hunk_num_sids;
457 hunk_domains += hunk_num_sids;
458 hunk_names += hunk_num_sids;
459 hunk_types += hunk_num_sids;
467 result = NT_STATUS_NONE_MAPPED;
470 result = STATUS_SOME_UNMAPPED;
477 TALLOC_FREE(domains);
484 NTSTATUS dcerpc_lsa_lookup_sids(struct dcerpc_binding_handle *h,
486 struct policy_handle *pol,
488 const struct dom_sid *sids,
491 enum lsa_SidType **ptypes,
494 return dcerpc_lsa_lookup_sids_generic(h,
506 NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
508 struct policy_handle *pol,
510 const struct dom_sid *sids,
513 enum lsa_SidType **ptypes)
516 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
518 status = dcerpc_lsa_lookup_sids_generic(cli->binding_handle,
528 if (!NT_STATUS_IS_OK(status)) {
535 NTSTATUS dcerpc_lsa_lookup_sids3(struct dcerpc_binding_handle *h,
537 struct policy_handle *pol,
539 const struct dom_sid *sids,
542 enum lsa_SidType **ptypes,
545 return dcerpc_lsa_lookup_sids_generic(h,
557 /** Lookup a list of names */
559 NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h,
561 struct policy_handle *pol,
564 const char ***dom_names,
565 enum lsa_LookupNamesLevel level,
566 struct dom_sid **sids,
567 enum lsa_SidType **types,
568 bool use_lookupnames4,
572 struct lsa_String *lsa_names = NULL;
573 struct lsa_RefDomainList *domains = NULL;
574 struct lsa_TransSidArray sid_array;
575 struct lsa_TransSidArray3 sid_array3;
579 ZERO_STRUCT(sid_array);
580 ZERO_STRUCT(sid_array3);
582 lsa_names = talloc_array(mem_ctx, struct lsa_String, num_names);
583 if (lsa_names == NULL) {
584 return NT_STATUS_NO_MEMORY;
587 for (i = 0; i < num_names; i++) {
588 init_lsa_String(&lsa_names[i], names[i]);
591 if (use_lookupnames4) {
592 status = dcerpc_lsa_LookupNames4(h,
600 LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES,
601 LSA_CLIENT_REVISION_2,
604 status = dcerpc_lsa_LookupNames(h,
615 if (!NT_STATUS_IS_OK(status)) {
619 if (!NT_STATUS_IS_OK(*presult) &&
620 !NT_STATUS_EQUAL(*presult, STATUS_SOME_UNMAPPED)) {
621 /* An actual error occured */
625 /* Return output parameters */
627 *presult = NT_STATUS_NONE_MAPPED;
632 if (!((*sids = talloc_array(mem_ctx, struct dom_sid, num_names)))) {
633 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
634 *presult = NT_STATUS_NO_MEMORY;
638 if (!((*types = talloc_array(mem_ctx, enum lsa_SidType, num_names)))) {
639 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
640 *presult = NT_STATUS_NO_MEMORY;
644 if (dom_names != NULL) {
645 *dom_names = talloc_array(mem_ctx, const char *, num_names);
646 if (*dom_names == NULL) {
647 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
648 *presult = NT_STATUS_NO_MEMORY;
655 if (dom_names != NULL) {
660 for (i = 0; i < num_names; i++) {
662 struct dom_sid *sid = &(*sids)[i];
664 if (use_lookupnames4) {
665 if (i >= sid_array3.count) {
666 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
670 dom_idx = sid_array3.sids[i].sid_index;
671 (*types)[i] = sid_array3.sids[i].sid_type;
673 if (i >= sid_array.count) {
674 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
678 dom_idx = sid_array.sids[i].sid_index;
679 (*types)[i] = sid_array.sids[i].sid_type;
682 /* Translate optimised sid through domain index array */
684 if (dom_idx == 0xffffffff) {
685 /* Nothing to do, this is unknown */
687 (*types)[i] = SID_NAME_UNKNOWN;
690 if (domains == NULL) {
691 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
694 if (dom_idx >= domains->count) {
695 *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
699 if (use_lookupnames4) {
700 sid_copy(sid, sid_array3.sids[i].sid);
702 sid_copy(sid, domains->domains[dom_idx].sid);
704 if (sid_array.sids[i].rid != 0xffffffff) {
705 sid_append_rid(sid, sid_array.sids[i].rid);
709 if (dom_names == NULL) {
713 (*dom_names)[i] = domains->domains[dom_idx].name.string;
720 NTSTATUS dcerpc_lsa_lookup_names(struct dcerpc_binding_handle *h,
722 struct policy_handle *pol,
725 const char ***dom_names,
726 enum lsa_LookupNamesLevel level,
727 struct dom_sid **sids,
728 enum lsa_SidType **types,
731 return dcerpc_lsa_lookup_names_generic(h,
744 NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
746 struct policy_handle *pol,
749 const char ***dom_names,
751 struct dom_sid **sids,
752 enum lsa_SidType **types)
755 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
757 status = dcerpc_lsa_lookup_names(cli->binding_handle,
767 if (!NT_STATUS_IS_OK(status)) {
774 NTSTATUS dcerpc_lsa_lookup_names4(struct dcerpc_binding_handle *h,
776 struct policy_handle *pol,
779 const char ***dom_names,
780 enum lsa_LookupNamesLevel level,
781 struct dom_sid **sids,
782 enum lsa_SidType **types,
785 return dcerpc_lsa_lookup_names_generic(h,
git.samba.org / samba.git / blob