2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /** @defgroup lsa LSA - Local Security Architecture
35 * RPC client routines for the LSA RPC pipe. LSA means "local
36 * security authority", which is half of a password database.
39 /** Open a LSA policy handle
41 * @param cli Handle on an initialised SMB connection */
43 NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
45 BOOL sec_qos, uint32 des_access,
48 prs_struct qbuf, rbuf;
57 /* Initialise input parameters */
60 init_lsa_sec_qos(&qos, 2, 1, 0);
61 init_q_open_pol(&q, '\\', 0, des_access, &qos);
63 init_q_open_pol(&q, '\\', 0, des_access, NULL);
66 /* Marshall data and send request */
68 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY,
73 NT_STATUS_UNSUCCESSFUL );
75 /* Return output parameters */
79 if (NT_STATUS_IS_OK(result)) {
86 /** Open a LSA policy handle
88 * @param cli Handle on an initialised SMB connection
91 NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
92 TALLOC_CTX *mem_ctx, BOOL sec_qos,
93 uint32 des_access, POLICY_HND *pol)
95 prs_struct qbuf, rbuf;
100 char *srv_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", cli->cli->desthost);
106 init_lsa_sec_qos(&qos, 2, 1, 0);
107 init_q_open_pol2(&q, srv_name_slash, 0, des_access, &qos);
109 init_q_open_pol2(&q, srv_name_slash, 0, des_access, NULL);
112 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY2,
117 NT_STATUS_UNSUCCESSFUL );
119 /* Return output parameters */
123 if (NT_STATUS_IS_OK(result)) {
130 /** Close a LSA policy handle */
132 NTSTATUS rpccli_lsa_close(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
135 return rpccli_lsa_Close( cli, mem_ctx, pol);
138 /** Lookup a list of sids */
140 NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
142 POLICY_HND *pol, int num_sids,
146 enum lsa_SidType **types)
148 prs_struct qbuf, rbuf;
152 LSA_TRANS_NAME_ENUM t_names;
153 NTSTATUS result = NT_STATUS_OK;
159 init_q_lookup_sids(mem_ctx, &q, pol, num_sids, sids, 1);
162 ZERO_STRUCT(t_names);
167 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPSIDS,
170 lsa_io_q_lookup_sids,
171 lsa_io_r_lookup_sids,
172 NT_STATUS_UNSUCCESSFUL );
174 if (!NT_STATUS_IS_OK(r.status) &&
175 NT_STATUS_V(r.status) != NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
177 /* An actual error occured */
183 /* Return output parameters */
185 if (r.mapped_count == 0) {
186 result = NT_STATUS_NONE_MAPPED;
190 if (!((*domains) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
191 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
192 result = NT_STATUS_NO_MEMORY;
196 if (!((*names) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
197 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
198 result = NT_STATUS_NO_MEMORY;
202 if (!((*types) = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_sids))) {
203 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
204 result = NT_STATUS_NO_MEMORY;
208 for (i = 0; i < num_sids; i++) {
209 fstring name, dom_name;
210 uint32 dom_idx = t_names.name[i].domain_idx;
212 /* Translate optimised name through domain index array */
214 if (dom_idx != 0xffffffff) {
216 rpcstr_pull_unistr2_fstring(
217 dom_name, &ref.ref_dom[dom_idx].uni_dom_name);
218 rpcstr_pull_unistr2_fstring(
219 name, &t_names.uni_name[i]);
221 (*names)[i] = talloc_strdup(mem_ctx, name);
222 (*domains)[i] = talloc_strdup(mem_ctx, dom_name);
223 (*types)[i] = (enum lsa_SidType)t_names.name[i].sid_name_use;
225 if (((*names)[i] == NULL) || ((*domains)[i] == NULL)) {
226 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
227 result = NT_STATUS_UNSUCCESSFUL;
233 (*domains)[i] = NULL;
234 (*types)[i] = SID_NAME_UNKNOWN;
243 /** Lookup a list of names */
245 NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
247 POLICY_HND *pol, int num_names,
249 const char ***dom_names,
251 enum lsa_SidType **types)
253 prs_struct qbuf, rbuf;
254 LSA_Q_LOOKUP_NAMES q;
255 LSA_R_LOOKUP_NAMES r;
266 init_q_lookup_names(mem_ctx, &q, pol, num_names, names);
268 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPNAMES,
271 lsa_io_q_lookup_names,
272 lsa_io_r_lookup_names,
273 NT_STATUS_UNSUCCESSFUL);
277 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
278 NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
280 /* An actual error occured */
285 /* Return output parameters */
287 if (r.mapped_count == 0) {
288 result = NT_STATUS_NONE_MAPPED;
292 if (!((*sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_names)))) {
293 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
294 result = NT_STATUS_NO_MEMORY;
298 if (!((*types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_names)))) {
299 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
300 result = NT_STATUS_NO_MEMORY;
304 if (dom_names != NULL) {
305 *dom_names = TALLOC_ARRAY(mem_ctx, const char *, num_names);
306 if (*dom_names == NULL) {
307 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
308 result = NT_STATUS_NO_MEMORY;
313 for (i = 0; i < num_names; i++) {
314 DOM_RID *t_rids = r.dom_rid;
315 uint32 dom_idx = t_rids[i].rid_idx;
316 uint32 dom_rid = t_rids[i].rid;
317 DOM_SID *sid = &(*sids)[i];
319 /* Translate optimised sid through domain index array */
321 if (dom_idx == 0xffffffff) {
322 /* Nothing to do, this is unknown */
324 (*types)[i] = SID_NAME_UNKNOWN;
328 sid_copy(sid, &ref.ref_dom[dom_idx].ref_dom.sid);
330 if (dom_rid != 0xffffffff) {
331 sid_append_rid(sid, dom_rid);
334 (*types)[i] = (enum lsa_SidType)t_rids[i].type;
336 if (dom_names == NULL) {
340 (*dom_names)[i] = rpcstr_pull_unistr2_talloc(
341 *dom_names, &ref.ref_dom[dom_idx].uni_dom_name);
349 NTSTATUS rpccli_lsa_query_info_policy_new(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
350 POLICY_HND *pol, uint16 info_class,
353 prs_struct qbuf, rbuf;
361 init_q_query(&q, pol, info_class);
363 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
368 NT_STATUS_UNSUCCESSFUL);
372 if (!NT_STATUS_IS_OK(result)) {
383 NTSTATUS rpccli_lsa_query_info_policy2_new(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
384 POLICY_HND *pol, uint16 info_class,
387 prs_struct qbuf, rbuf;
395 init_q_query2(&q, pol, info_class);
397 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
400 lsa_io_q_query_info2,
401 lsa_io_r_query_info2,
402 NT_STATUS_UNSUCCESSFUL);
406 if (!NT_STATUS_IS_OK(result)) {
419 /** Query info policy
421 * @param domain_sid - returned remote server's domain sid */
423 NTSTATUS rpccli_lsa_query_info_policy(struct rpc_pipe_client *cli,
425 POLICY_HND *pol, uint16 info_class,
426 char **domain_name, DOM_SID **domain_sid)
428 prs_struct qbuf, rbuf;
436 init_q_query(&q, pol, info_class);
438 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
443 NT_STATUS_UNSUCCESSFUL);
447 if (!NT_STATUS_IS_OK(result)) {
451 /* Return output parameters */
453 switch (info_class) {
456 if (domain_name && (r.ctr.info.id3.buffer_dom_name != 0)) {
457 *domain_name = unistr2_tdup(mem_ctx,
461 return NT_STATUS_NO_MEMORY;
465 if (domain_sid && (r.ctr.info.id3.buffer_dom_sid != 0)) {
466 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
468 return NT_STATUS_NO_MEMORY;
470 sid_copy(*domain_sid, &r.ctr.info.id3.dom_sid.sid);
477 if (domain_name && (r.ctr.info.id5.buffer_dom_name != 0)) {
478 *domain_name = unistr2_tdup(mem_ctx,
482 return NT_STATUS_NO_MEMORY;
486 if (domain_sid && (r.ctr.info.id5.buffer_dom_sid != 0)) {
487 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
489 return NT_STATUS_NO_MEMORY;
491 sid_copy(*domain_sid, &r.ctr.info.id5.dom_sid.sid);
496 DEBUG(3, ("unknown info class %d\n", info_class));
505 /** Query info policy2
507 * @param domain_name - returned remote server's domain name
508 * @param dns_name - returned remote server's dns domain name
509 * @param forest_name - returned remote server's forest name
510 * @param domain_guid - returned remote server's domain guid
511 * @param domain_sid - returned remote server's domain sid */
513 NTSTATUS rpccli_lsa_query_info_policy2(struct rpc_pipe_client *cli,
515 POLICY_HND *pol, uint16 info_class,
516 char **domain_name, char **dns_name,
518 struct uuid **domain_guid,
519 DOM_SID **domain_sid)
521 prs_struct qbuf, rbuf;
524 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
526 if (info_class != 12)
532 init_q_query2(&q, pol, info_class);
534 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
537 lsa_io_q_query_info2,
538 lsa_io_r_query_info2,
539 NT_STATUS_UNSUCCESSFUL);
543 if (!NT_STATUS_IS_OK(result)) {
547 /* Return output parameters */
549 ZERO_STRUCTP(domain_guid);
551 if (domain_name && r.ctr.info.id12.hdr_nb_dom_name.buffer) {
552 *domain_name = unistr2_tdup(mem_ctx,
556 return NT_STATUS_NO_MEMORY;
559 if (dns_name && r.ctr.info.id12.hdr_dns_dom_name.buffer) {
560 *dns_name = unistr2_tdup(mem_ctx,
564 return NT_STATUS_NO_MEMORY;
567 if (forest_name && r.ctr.info.id12.hdr_forest_name.buffer) {
568 *forest_name = unistr2_tdup(mem_ctx,
572 return NT_STATUS_NO_MEMORY;
577 *domain_guid = TALLOC_P(mem_ctx, struct uuid);
579 return NT_STATUS_NO_MEMORY;
582 &r.ctr.info.id12.dom_guid,
583 sizeof(struct uuid));
586 if (domain_sid && r.ctr.info.id12.ptr_dom_sid != 0) {
587 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
589 return NT_STATUS_NO_MEMORY;
591 sid_copy(*domain_sid,
592 &r.ctr.info.id12.dom_sid.sid);
600 NTSTATUS rpccli_lsa_set_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
601 POLICY_HND *pol, uint16 info_class,
604 prs_struct qbuf, rbuf;
612 init_q_set(&q, pol, info_class, ctr);
614 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_SETINFOPOLICY,
619 NT_STATUS_UNSUCCESSFUL);
623 if (!NT_STATUS_IS_OK(result)) {
627 /* Return output parameters */
636 * Enumerate list of trusted domains
638 * @param cli client state (cli_state) structure of the connection
639 * @param mem_ctx memory context
640 * @param pol opened lsa policy handle
641 * @param enum_ctx enumeration context ie. index of first returned domain entry
642 * @param pref_num_domains preferred max number of entries returned in one response
643 * @param num_domains total number of trusted domains returned by response
644 * @param domain_names returned trusted domain names
645 * @param domain_sids returned trusted domain sids
647 * @return nt status code of response
650 NTSTATUS rpccli_lsa_enum_trust_dom(struct rpc_pipe_client *cli,
652 POLICY_HND *pol, uint32 *enum_ctx,
654 char ***domain_names, DOM_SID **domain_sids)
656 prs_struct qbuf, rbuf;
657 LSA_Q_ENUM_TRUST_DOM in;
658 LSA_R_ENUM_TRUST_DOM out;
665 /* 64k is enough for about 2000 trusted domains */
667 init_q_enum_trust_dom(&in, pol, *enum_ctx, 0x10000);
669 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMTRUSTDOM,
672 lsa_io_q_enum_trust_dom,
673 lsa_io_r_enum_trust_dom,
674 NT_STATUS_UNSUCCESSFUL );
677 /* check for an actual error */
679 if ( !NT_STATUS_IS_OK(out.status)
680 && !NT_STATUS_EQUAL(out.status, NT_STATUS_NO_MORE_ENTRIES)
681 && !NT_STATUS_EQUAL(out.status, STATUS_MORE_ENTRIES) )
686 /* Return output parameters */
688 *num_domains = out.count;
689 *enum_ctx = out.enum_context;
693 /* Allocate memory for trusted domain names and sids */
695 if ( !(*domain_names = TALLOC_ARRAY(mem_ctx, char *, out.count)) ) {
696 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
697 return NT_STATUS_NO_MEMORY;
700 if ( !(*domain_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, out.count)) ) {
701 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
702 return NT_STATUS_NO_MEMORY;
705 /* Copy across names and sids */
707 for (i = 0; i < out.count; i++) {
709 rpcstr_pull( tmp, out.domlist->domains[i].name.string->buffer,
710 sizeof(tmp), out.domlist->domains[i].name.length, 0);
711 (*domain_names)[i] = talloc_strdup(mem_ctx, tmp);
713 sid_copy(&(*domain_sids)[i], &out.domlist->domains[i].sid->sid );
720 /** Enumerate privileges*/
722 NTSTATUS rpccli_lsa_enum_privilege(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
723 POLICY_HND *pol, uint32 *enum_context, uint32 pref_max_length,
724 uint32 *count, char ***privs_name, uint32 **privs_high, uint32 **privs_low)
726 prs_struct qbuf, rbuf;
735 init_q_enum_privs(&q, pol, *enum_context, pref_max_length);
737 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_PRIVS,
742 NT_STATUS_UNSUCCESSFUL);
746 if (!NT_STATUS_IS_OK(result)) {
750 /* Return output parameters */
752 *enum_context = r.enum_context;
755 if (!((*privs_name = TALLOC_ARRAY(mem_ctx, char *, r.count)))) {
756 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
757 result = NT_STATUS_UNSUCCESSFUL;
761 if (!((*privs_high = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
762 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
763 result = NT_STATUS_UNSUCCESSFUL;
767 if (!((*privs_low = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
768 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
769 result = NT_STATUS_UNSUCCESSFUL;
773 for (i = 0; i < r.count; i++) {
776 rpcstr_pull_unistr2_fstring( name, &r.privs[i].name);
778 (*privs_name)[i] = talloc_strdup(mem_ctx, name);
780 (*privs_high)[i] = r.privs[i].luid_high;
781 (*privs_low)[i] = r.privs[i].luid_low;
789 /** Get privilege name */
791 NTSTATUS rpccli_lsa_get_dispname(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
792 POLICY_HND *pol, const char *name,
793 uint16 lang_id, uint16 lang_id_sys,
794 fstring description, uint16 *lang_id_desc)
796 prs_struct qbuf, rbuf;
797 LSA_Q_PRIV_GET_DISPNAME q;
798 LSA_R_PRIV_GET_DISPNAME r;
804 init_lsa_priv_get_dispname(&q, pol, name, lang_id, lang_id_sys);
806 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_PRIV_GET_DISPNAME,
809 lsa_io_q_priv_get_dispname,
810 lsa_io_r_priv_get_dispname,
811 NT_STATUS_UNSUCCESSFUL);
815 if (!NT_STATUS_IS_OK(result)) {
819 /* Return output parameters */
821 rpcstr_pull_unistr2_fstring(description , &r.desc);
822 *lang_id_desc = r.lang_id;
829 /** Enumerate list of SIDs */
831 NTSTATUS rpccli_lsa_enum_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
832 POLICY_HND *pol, uint32 *enum_ctx, uint32 pref_max_length,
833 uint32 *num_sids, DOM_SID **sids)
835 prs_struct qbuf, rbuf;
836 LSA_Q_ENUM_ACCOUNTS q;
837 LSA_R_ENUM_ACCOUNTS r;
844 init_lsa_q_enum_accounts(&q, pol, *enum_ctx, pref_max_length);
846 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_ACCOUNTS,
849 lsa_io_q_enum_accounts,
850 lsa_io_r_enum_accounts,
851 NT_STATUS_UNSUCCESSFUL);
855 if (!NT_STATUS_IS_OK(result)) {
859 if (r.sids.num_entries==0)
862 /* Return output parameters */
864 *sids = TALLOC_ARRAY(mem_ctx, DOM_SID, r.sids.num_entries);
866 DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
867 result = NT_STATUS_UNSUCCESSFUL;
871 /* Copy across names and sids */
873 for (i = 0; i < r.sids.num_entries; i++) {
874 sid_copy(&(*sids)[i], &r.sids.sid[i].sid);
877 *num_sids= r.sids.num_entries;
878 *enum_ctx = r.enum_context;
885 /** Create a LSA user handle
887 * @param cli Handle on an initialised SMB connection
889 * FIXME: The code is actually identical to open account
890 * TODO: Check and code what the function should exactly do
894 NTSTATUS rpccli_lsa_create_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
895 POLICY_HND *dom_pol, DOM_SID *sid, uint32 desired_access,
896 POLICY_HND *user_pol)
898 prs_struct qbuf, rbuf;
899 LSA_Q_CREATEACCOUNT q;
900 LSA_R_CREATEACCOUNT r;
906 /* Initialise input parameters */
908 init_lsa_q_create_account(&q, dom_pol, sid, desired_access);
910 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_CREATEACCOUNT,
913 lsa_io_q_create_account,
914 lsa_io_r_create_account,
915 NT_STATUS_UNSUCCESSFUL);
917 /* Return output parameters */
921 if (NT_STATUS_IS_OK(result)) {
928 /** Open a LSA user handle
930 * @param cli Handle on an initialised SMB connection */
932 NTSTATUS rpccli_lsa_open_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
933 POLICY_HND *dom_pol, DOM_SID *sid, uint32 des_access,
934 POLICY_HND *user_pol)
936 prs_struct qbuf, rbuf;
944 /* Initialise input parameters */
946 init_lsa_q_open_account(&q, dom_pol, sid, des_access);
948 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENACCOUNT,
951 lsa_io_q_open_account,
952 lsa_io_r_open_account,
953 NT_STATUS_UNSUCCESSFUL);
955 /* Return output parameters */
959 if (NT_STATUS_IS_OK(result)) {
966 /** Enumerate user privileges
968 * @param cli Handle on an initialised SMB connection */
970 NTSTATUS rpccli_lsa_enum_privsaccount(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
971 POLICY_HND *pol, uint32 *count, LUID_ATTR **set)
973 prs_struct qbuf, rbuf;
974 LSA_Q_ENUMPRIVSACCOUNT q;
975 LSA_R_ENUMPRIVSACCOUNT r;
982 /* Initialise input parameters */
984 init_lsa_q_enum_privsaccount(&q, pol);
986 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMPRIVSACCOUNT,
989 lsa_io_q_enum_privsaccount,
990 lsa_io_r_enum_privsaccount,
991 NT_STATUS_UNSUCCESSFUL);
993 /* Return output parameters */
997 if (!NT_STATUS_IS_OK(result)) {
1004 if (!((*set = TALLOC_ARRAY(mem_ctx, LUID_ATTR, r.count)))) {
1005 DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
1006 result = NT_STATUS_UNSUCCESSFUL;
1010 for (i=0; i<r.count; i++) {
1011 (*set)[i].luid.low = r.set.set[i].luid.low;
1012 (*set)[i].luid.high = r.set.set[i].luid.high;
1013 (*set)[i].attr = r.set.set[i].attr;
1022 /** Get a privilege value given its name */
1024 NTSTATUS rpccli_lsa_lookup_priv_value(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1025 POLICY_HND *pol, const char *name, LUID *luid)
1027 prs_struct qbuf, rbuf;
1028 LSA_Q_LOOKUP_PRIV_VALUE q;
1029 LSA_R_LOOKUP_PRIV_VALUE r;
1035 /* Marshall data and send request */
1037 init_lsa_q_lookup_priv_value(&q, pol, name);
1039 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPPRIVVALUE,
1042 lsa_io_q_lookup_priv_value,
1043 lsa_io_r_lookup_priv_value,
1044 NT_STATUS_UNSUCCESSFUL);
1048 if (!NT_STATUS_IS_OK(result)) {
1052 /* Return output parameters */
1054 (*luid).low=r.luid.low;
1055 (*luid).high=r.luid.high;
1062 /** Query LSA security object */
1064 NTSTATUS rpccli_lsa_query_secobj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1065 POLICY_HND *pol, uint32 sec_info,
1066 SEC_DESC_BUF **psdb)
1068 prs_struct qbuf, rbuf;
1069 LSA_Q_QUERY_SEC_OBJ q;
1070 LSA_R_QUERY_SEC_OBJ r;
1076 /* Marshall data and send request */
1078 init_q_query_sec_obj(&q, pol, sec_info);
1080 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYSECOBJ,
1083 lsa_io_q_query_sec_obj,
1084 lsa_io_r_query_sec_obj,
1085 NT_STATUS_UNSUCCESSFUL);
1089 if (!NT_STATUS_IS_OK(result)) {
1093 /* Return output parameters */
1104 /* Enumerate account rights This is similar to enum_privileges but
1105 takes a SID directly, avoiding the open_account call.
1108 NTSTATUS rpccli_lsa_enum_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1109 POLICY_HND *pol, DOM_SID *sid,
1110 uint32 *count, char ***priv_names)
1112 prs_struct qbuf, rbuf;
1113 LSA_Q_ENUM_ACCT_RIGHTS q;
1114 LSA_R_ENUM_ACCT_RIGHTS r;
1117 fstring *privileges;
1123 /* Marshall data and send request */
1124 init_q_enum_acct_rights(&q, pol, 2, sid);
1126 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMACCTRIGHTS,
1129 lsa_io_q_enum_acct_rights,
1130 lsa_io_r_enum_acct_rights,
1131 NT_STATUS_UNSUCCESSFUL);
1135 if (!NT_STATUS_IS_OK(result)) {
1145 privileges = TALLOC_ARRAY( mem_ctx, fstring, *count );
1146 names = TALLOC_ARRAY( mem_ctx, char *, *count );
1148 if ((privileges == NULL) || (names == NULL)) {
1149 TALLOC_FREE(privileges);
1151 return NT_STATUS_NO_MEMORY;
1154 for ( i=0; i<*count; i++ ) {
1155 UNISTR4 *uni_string = &r.rights->strings[i];
1157 if ( !uni_string->string )
1160 rpcstr_pull( privileges[i], uni_string->string->buffer, sizeof(privileges[i]), -1, STR_TERMINATE );
1162 /* now copy to the return array */
1163 names[i] = talloc_strdup( mem_ctx, privileges[i] );
1166 *priv_names = names;
1175 /* add account rights to an account. */
1177 NTSTATUS rpccli_lsa_add_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1178 POLICY_HND *pol, DOM_SID sid,
1179 uint32 count, const char **privs_name)
1181 prs_struct qbuf, rbuf;
1182 LSA_Q_ADD_ACCT_RIGHTS q;
1183 LSA_R_ADD_ACCT_RIGHTS r;
1189 /* Marshall data and send request */
1190 init_q_add_acct_rights(&q, pol, &sid, count, privs_name);
1192 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ADDACCTRIGHTS,
1195 lsa_io_q_add_acct_rights,
1196 lsa_io_r_add_acct_rights,
1197 NT_STATUS_UNSUCCESSFUL);
1201 if (!NT_STATUS_IS_OK(result)) {
1210 /* remove account rights for an account. */
1212 NTSTATUS rpccli_lsa_remove_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1213 POLICY_HND *pol, DOM_SID sid, BOOL removeall,
1214 uint32 count, const char **privs_name)
1216 prs_struct qbuf, rbuf;
1217 LSA_Q_REMOVE_ACCT_RIGHTS q;
1218 LSA_R_REMOVE_ACCT_RIGHTS r;
1224 /* Marshall data and send request */
1225 init_q_remove_acct_rights(&q, pol, &sid, removeall?1:0, count, privs_name);
1227 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_REMOVEACCTRIGHTS,
1230 lsa_io_q_remove_acct_rights,
1231 lsa_io_r_remove_acct_rights,
1232 NT_STATUS_UNSUCCESSFUL);
1236 if (!NT_STATUS_IS_OK(result)) {
1247 /** An example of how to use the routines in this file. Fetch a DOMAIN
1248 sid. Does complete cli setup / teardown anonymously. */
1250 BOOL fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
1252 extern pstring global_myname;
1253 struct cli_state *cli;
1259 if((cli = cli_initialise()) == NULL) {
1260 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
1264 if(!resolve_name( remote_machine, &cli->dest_ip, 0x20)) {
1265 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
1269 if (!cli_connect(cli, remote_machine, &cli->dest_ip)) {
1270 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
1271 machine %s. Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1275 if (!attempt_netbios_session_request(cli, global_myname, remote_machine, &cli->dest_ip)) {
1276 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
1281 cli->protocol = PROTOCOL_NT1;
1283 if (!cli_negprot(cli)) {
1284 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
1285 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1289 if (cli->protocol != PROTOCOL_NT1) {
1290 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
1296 * Do an anonymous session setup.
1299 if (!cli_session_setup(cli, "", "", 0, "", 0, "")) {
1300 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
1301 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1305 if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
1306 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
1311 if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) {
1312 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
1313 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1317 /* Fetch domain sid */
1319 if (!cli_nt_session_open(cli, PI_LSARPC)) {
1320 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
1324 result = cli_lsa_open_policy(cli, cli->mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
1325 if (!NT_STATUS_IS_OK(result)) {
1326 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
1327 nt_errstr(result) ));
1331 result = cli_lsa_query_info_policy(cli, cli->mem_ctx, &lsa_pol, 5, domain, psid);
1332 if (!NT_STATUS_IS_OK(result)) {
1333 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
1334 nt_errstr(result) ));
1348 NTSTATUS rpccli_lsa_open_trusted_domain(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1349 POLICY_HND *pol, DOM_SID *dom_sid, uint32 access_mask,
1350 POLICY_HND *trustdom_pol)
1352 prs_struct qbuf, rbuf;
1353 LSA_Q_OPEN_TRUSTED_DOMAIN q;
1354 LSA_R_OPEN_TRUSTED_DOMAIN r;
1360 /* Initialise input parameters */
1362 init_lsa_q_open_trusted_domain(&q, pol, dom_sid, access_mask);
1364 /* Marshall data and send request */
1366 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOM,
1369 lsa_io_q_open_trusted_domain,
1370 lsa_io_r_open_trusted_domain,
1371 NT_STATUS_UNSUCCESSFUL);
1373 /* Return output parameters */
1377 if (NT_STATUS_IS_OK(result)) {
1378 *trustdom_pol = r.handle;
1384 NTSTATUS rpccli_lsa_query_trusted_domain_info(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1387 LSA_TRUSTED_DOMAIN_INFO **info)
1389 prs_struct qbuf, rbuf;
1390 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO q;
1391 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1392 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1397 /* Marshall data and send request */
1399 init_q_query_trusted_domain_info(&q, pol, info_class);
1401 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFO,
1404 lsa_io_q_query_trusted_domain_info,
1405 lsa_io_r_query_trusted_domain_info,
1406 NT_STATUS_UNSUCCESSFUL);
1410 if (!NT_STATUS_IS_OK(result)) {
1420 NTSTATUS rpccli_lsa_open_trusted_domain_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1421 POLICY_HND *pol, const char *name, uint32 access_mask,
1422 POLICY_HND *trustdom_pol)
1424 prs_struct qbuf, rbuf;
1425 LSA_Q_OPEN_TRUSTED_DOMAIN_BY_NAME q;
1426 LSA_R_OPEN_TRUSTED_DOMAIN_BY_NAME r;
1432 /* Initialise input parameters */
1434 init_lsa_q_open_trusted_domain_by_name(&q, pol, name, access_mask);
1436 /* Marshall data and send request */
1438 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOMBYNAME,
1441 lsa_io_q_open_trusted_domain_by_name,
1442 lsa_io_r_open_trusted_domain_by_name,
1443 NT_STATUS_UNSUCCESSFUL);
1445 /* Return output parameters */
1449 if (NT_STATUS_IS_OK(result)) {
1450 *trustdom_pol = r.handle;
1457 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_sid(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1459 uint16 info_class, DOM_SID *dom_sid,
1460 LSA_TRUSTED_DOMAIN_INFO **info)
1462 prs_struct qbuf, rbuf;
1463 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_SID q;
1464 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1465 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1470 /* Marshall data and send request */
1472 init_q_query_trusted_domain_info_by_sid(&q, pol, info_class, dom_sid);
1474 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYSID,
1477 lsa_io_q_query_trusted_domain_info_by_sid,
1478 lsa_io_r_query_trusted_domain_info,
1479 NT_STATUS_UNSUCCESSFUL);
1483 if (!NT_STATUS_IS_OK(result)) {
1494 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1496 uint16 info_class, const char *domain_name,
1497 LSA_TRUSTED_DOMAIN_INFO **info)
1499 prs_struct qbuf, rbuf;
1500 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_NAME q;
1501 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1502 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1507 /* Marshall data and send request */
1509 init_q_query_trusted_domain_info_by_name(&q, pol, info_class, domain_name);
1511 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYNAME,
1514 lsa_io_q_query_trusted_domain_info_by_name,
1515 lsa_io_r_query_trusted_domain_info,
1516 NT_STATUS_UNSUCCESSFUL);
1520 if (!NT_STATUS_IS_OK(result)) {
1531 NTSTATUS cli_lsa_query_domain_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1533 uint16 info_class, LSA_DOM_INFO_UNION **info)
1535 prs_struct qbuf, rbuf;
1536 LSA_Q_QUERY_DOM_INFO_POLICY q;
1537 LSA_R_QUERY_DOM_INFO_POLICY r;
1538 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1543 /* Marshall data and send request */
1545 init_q_query_dom_info(&q, pol, info_class);
1547 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYDOMINFOPOL,
1550 lsa_io_q_query_dom_info,
1551 lsa_io_r_query_dom_info,
1552 NT_STATUS_UNSUCCESSFUL);
1556 if (!NT_STATUS_IS_OK(result)) {