-
-/** Enumerate list of SIDs */
-
-NTSTATUS rpccli_lsa_enum_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol, uint32 *enum_ctx, uint32 pref_max_length,
- uint32 *num_sids, DOM_SID **sids)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_ENUM_ACCOUNTS q;
- LSA_R_ENUM_ACCOUNTS r;
- NTSTATUS result;
- int i;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- init_lsa_q_enum_accounts(&q, pol, *enum_ctx, pref_max_length);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_ACCOUNTS,
- q, r,
- qbuf, rbuf,
- lsa_io_q_enum_accounts,
- lsa_io_r_enum_accounts,
- NT_STATUS_UNSUCCESSFUL);
-
- result = r.status;
-
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- if (r.sids.num_entries==0)
- goto done;
-
- /* Return output parameters */
-
- *sids = TALLOC_ARRAY(mem_ctx, DOM_SID, r.sids.num_entries);
- if (!*sids) {
- DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- /* Copy across names and sids */
-
- for (i = 0; i < r.sids.num_entries; i++) {
- sid_copy(&(*sids)[i], &r.sids.sid[i].sid);
- }
-
- *num_sids= r.sids.num_entries;
- *enum_ctx = r.enum_context;
-
- done:
-
- return result;
-}
-
-/** Create a LSA user handle
- *
- * @param cli Handle on an initialised SMB connection
- *
- * FIXME: The code is actually identical to open account
- * TODO: Check and code what the function should exactly do
- *
- * */
-
-NTSTATUS rpccli_lsa_create_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *dom_pol, DOM_SID *sid, uint32 desired_access,
- POLICY_HND *user_pol)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_CREATEACCOUNT q;
- LSA_R_CREATEACCOUNT r;
- NTSTATUS result;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Initialise input parameters */
-
- init_lsa_q_create_account(&q, dom_pol, sid, desired_access);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_CREATEACCOUNT,
- q, r,
- qbuf, rbuf,
- lsa_io_q_create_account,
- lsa_io_r_create_account,
- NT_STATUS_UNSUCCESSFUL);
-
- /* Return output parameters */
-
- result = r.status;
-
- if (NT_STATUS_IS_OK(result)) {
- *user_pol = r.pol;
- }
-
- return result;
-}
-
-/** Open a LSA user handle
- *
- * @param cli Handle on an initialised SMB connection */
-
-NTSTATUS rpccli_lsa_open_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *dom_pol, DOM_SID *sid, uint32 des_access,
- POLICY_HND *user_pol)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_OPENACCOUNT q;
- LSA_R_OPENACCOUNT r;
- NTSTATUS result;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Initialise input parameters */
-
- init_lsa_q_open_account(&q, dom_pol, sid, des_access);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENACCOUNT,
- q, r,
- qbuf, rbuf,
- lsa_io_q_open_account,
- lsa_io_r_open_account,
- NT_STATUS_UNSUCCESSFUL);
-
- /* Return output parameters */
-
- result = r.status;
-
- if (NT_STATUS_IS_OK(result)) {
- *user_pol = r.pol;
- }
-
- return result;
-}
-
-/** Enumerate user privileges
- *
- * @param cli Handle on an initialised SMB connection */
-
-NTSTATUS rpccli_lsa_enum_privsaccount(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol, uint32 *count, LUID_ATTR **set)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_ENUMPRIVSACCOUNT q;
- LSA_R_ENUMPRIVSACCOUNT r;
- NTSTATUS result;
- int i;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Initialise input parameters */
-
- init_lsa_q_enum_privsaccount(&q, pol);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMPRIVSACCOUNT,
- q, r,
- qbuf, rbuf,
- lsa_io_q_enum_privsaccount,
- lsa_io_r_enum_privsaccount,
- NT_STATUS_UNSUCCESSFUL);
-
- /* Return output parameters */
-
- result = r.status;
-
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- if (r.count == 0)
- goto done;
-
- if (!((*set = TALLOC_ARRAY(mem_ctx, LUID_ATTR, r.count)))) {
- DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- for (i=0; i<r.count; i++) {
- (*set)[i].luid.low = r.set.set[i].luid.low;
- (*set)[i].luid.high = r.set.set[i].luid.high;
- (*set)[i].attr = r.set.set[i].attr;
- }
-
- *count=r.count;
- done:
-
- return result;
-}
-
-/** Get a privilege value given its name */
-
-NTSTATUS rpccli_lsa_lookup_priv_value(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol, const char *name, LUID *luid)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_LOOKUP_PRIV_VALUE q;
- LSA_R_LOOKUP_PRIV_VALUE r;
- NTSTATUS result;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Marshall data and send request */
-
- init_lsa_q_lookup_priv_value(&q, pol, name);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPPRIVVALUE,
- q, r,
- qbuf, rbuf,
- lsa_io_q_lookup_priv_value,
- lsa_io_r_lookup_priv_value,
- NT_STATUS_UNSUCCESSFUL);
-
- result = r.status;
-
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- /* Return output parameters */
-
- (*luid).low=r.luid.low;
- (*luid).high=r.luid.high;
-
- done:
-
- return result;
-}
-
-/** Query LSA security object */
-
-NTSTATUS rpccli_lsa_query_secobj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol, uint32 sec_info,
- SEC_DESC_BUF **psdb)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_QUERY_SEC_OBJ q;
- LSA_R_QUERY_SEC_OBJ r;
- NTSTATUS result;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Marshall data and send request */
-
- init_q_query_sec_obj(&q, pol, sec_info);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYSECOBJ,
- q, r,
- qbuf, rbuf,
- lsa_io_q_query_sec_obj,
- lsa_io_r_query_sec_obj,
- NT_STATUS_UNSUCCESSFUL);
-
- result = r.status;
-
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- /* Return output parameters */
-
- if (psdb)
- *psdb = r.buf;
-
- done:
-
- return result;
-}
-
-
-/* Enumerate account rights This is similar to enum_privileges but
- takes a SID directly, avoiding the open_account call.
-*/
-
-NTSTATUS rpccli_lsa_enum_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol, DOM_SID *sid,
- uint32 *count, char ***priv_names)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_ENUM_ACCT_RIGHTS q;
- LSA_R_ENUM_ACCT_RIGHTS r;
- NTSTATUS result;
- int i;
- fstring *privileges;
- char **names;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Marshall data and send request */
- init_q_enum_acct_rights(&q, pol, 2, sid);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMACCTRIGHTS,
- q, r,
- qbuf, rbuf,
- lsa_io_q_enum_acct_rights,
- lsa_io_r_enum_acct_rights,
- NT_STATUS_UNSUCCESSFUL);
-
- result = r.status;
-
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- *count = r.count;
- if (! *count) {
- goto done;
- }
-
-
- privileges = TALLOC_ARRAY( mem_ctx, fstring, *count );
- names = TALLOC_ARRAY( mem_ctx, char *, *count );
-
- if ((privileges == NULL) || (names == NULL)) {
- TALLOC_FREE(privileges);
- TALLOC_FREE(names);
- return NT_STATUS_NO_MEMORY;
- }
-
- for ( i=0; i<*count; i++ ) {
- UNISTR4 *uni_string = &r.rights->strings[i];
-
- if ( !uni_string->string )
- continue;
-
- rpcstr_pull( privileges[i], uni_string->string->buffer, sizeof(privileges[i]), -1, STR_TERMINATE );
-
- /* now copy to the return array */
- names[i] = talloc_strdup( mem_ctx, privileges[i] );
- }
-
- *priv_names = names;
-
-done:
-
- return result;
-}
-
-
-
-/* add account rights to an account. */
-
-NTSTATUS rpccli_lsa_add_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol, DOM_SID sid,
- uint32 count, const char **privs_name)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_ADD_ACCT_RIGHTS q;
- LSA_R_ADD_ACCT_RIGHTS r;
- NTSTATUS result;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Marshall data and send request */
- init_q_add_acct_rights(&q, pol, &sid, count, privs_name);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ADDACCTRIGHTS,
- q, r,
- qbuf, rbuf,
- lsa_io_q_add_acct_rights,
- lsa_io_r_add_acct_rights,
- NT_STATUS_UNSUCCESSFUL);
-
- result = r.status;
-
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-done:
-
- return result;
-}
-
-
-/* remove account rights for an account. */
-
-NTSTATUS rpccli_lsa_remove_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol, DOM_SID sid, BOOL removeall,
- uint32 count, const char **privs_name)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_REMOVE_ACCT_RIGHTS q;
- LSA_R_REMOVE_ACCT_RIGHTS r;
- NTSTATUS result;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Marshall data and send request */
- init_q_remove_acct_rights(&q, pol, &sid, removeall?1:0, count, privs_name);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_REMOVEACCTRIGHTS,
- q, r,
- qbuf, rbuf,
- lsa_io_q_remove_acct_rights,
- lsa_io_r_remove_acct_rights,
- NT_STATUS_UNSUCCESSFUL);
-
- result = r.status;
-
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-done:
-
- return result;
-}
-
-
-#if 0
-
-/** An example of how to use the routines in this file. Fetch a DOMAIN
- sid. Does complete cli setup / teardown anonymously. */
-
-BOOL fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
-{
- extern pstring global_myname;
- struct cli_state *cli;
- NTSTATUS result;
- POLICY_HND lsa_pol;
- BOOL ret = False;
-
- ZERO_STRUCT(cli);
- if((cli = cli_initialise()) == NULL) {
- DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
- return False;
- }
-
- if(!resolve_name( remote_machine, &cli->dest_ip, 0x20)) {
- DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
- goto done;
- }
-
- if (!cli_connect(cli, remote_machine, &cli->dest_ip)) {
- DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
-machine %s. Error was : %s.\n", remote_machine, cli_errstr(cli) ));
- goto done;
- }
-
- if (!attempt_netbios_session_request(cli, global_myname, remote_machine, &cli->dest_ip)) {
- DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
- remote_machine));
- goto done;
- }
-
- cli->protocol = PROTOCOL_NT1;
-
- if (!cli_negprot(cli)) {
- DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
-Error was : %s.\n", remote_machine, cli_errstr(cli) ));
- goto done;
- }
-
- if (cli->protocol != PROTOCOL_NT1) {
- DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
- remote_machine));
- goto done;
- }
-
- /*
- * Do an anonymous session setup.
- */
-
- if (!cli_session_setup(cli, "", "", 0, "", 0, "")) {
- DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
-Error was : %s.\n", remote_machine, cli_errstr(cli) ));
- goto done;
- }
-
- if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
- DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
- remote_machine));
- goto done;
- }
-
- if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) {
- DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
-Error was : %s.\n", remote_machine, cli_errstr(cli) ));
- goto done;
- }
-
- /* Fetch domain sid */
-
- if (!cli_nt_session_open(cli, PI_LSARPC)) {
- DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
- goto done;
- }
-
- result = cli_lsa_open_policy(cli, cli->mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
- nt_errstr(result) ));
- goto done;
- }
-
- result = cli_lsa_query_info_policy(cli, cli->mem_ctx, &lsa_pol, 5, domain, psid);
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
- nt_errstr(result) ));
- goto done;
- }
-
- ret = True;
-
- done:
-
- cli_shutdown(cli);
- return ret;
-}
-
-#endif
-
-NTSTATUS rpccli_lsa_open_trusted_domain(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol, DOM_SID *dom_sid, uint32 access_mask,
- POLICY_HND *trustdom_pol)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_OPEN_TRUSTED_DOMAIN q;
- LSA_R_OPEN_TRUSTED_DOMAIN r;
- NTSTATUS result;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Initialise input parameters */
-
- init_lsa_q_open_trusted_domain(&q, pol, dom_sid, access_mask);
-
- /* Marshall data and send request */
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOM,
- q, r,
- qbuf, rbuf,
- lsa_io_q_open_trusted_domain,
- lsa_io_r_open_trusted_domain,
- NT_STATUS_UNSUCCESSFUL);
-
- /* Return output parameters */
-
- result = r.status;
-
- if (NT_STATUS_IS_OK(result)) {
- *trustdom_pol = r.handle;
- }
-
- return result;
-}
-
-NTSTATUS rpccli_lsa_query_trusted_domain_info(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol,
- uint16 info_class,
- LSA_TRUSTED_DOMAIN_INFO **info)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_QUERY_TRUSTED_DOMAIN_INFO q;
- LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Marshall data and send request */
-
- init_q_query_trusted_domain_info(&q, pol, info_class);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFO,
- q, r,
- qbuf, rbuf,
- lsa_io_q_query_trusted_domain_info,
- lsa_io_r_query_trusted_domain_info,
- NT_STATUS_UNSUCCESSFUL);
-
- result = r.status;
-
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- *info = r.info;
-
-done:
- return result;
-}
-
-NTSTATUS rpccli_lsa_open_trusted_domain_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol, const char *name, uint32 access_mask,
- POLICY_HND *trustdom_pol)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_OPEN_TRUSTED_DOMAIN_BY_NAME q;
- LSA_R_OPEN_TRUSTED_DOMAIN_BY_NAME r;
- NTSTATUS result;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Initialise input parameters */
-
- init_lsa_q_open_trusted_domain_by_name(&q, pol, name, access_mask);
-
- /* Marshall data and send request */
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOMBYNAME,
- q, r,
- qbuf, rbuf,
- lsa_io_q_open_trusted_domain_by_name,
- lsa_io_r_open_trusted_domain_by_name,
- NT_STATUS_UNSUCCESSFUL);
-
- /* Return output parameters */
-
- result = r.status;
-
- if (NT_STATUS_IS_OK(result)) {
- *trustdom_pol = r.handle;
- }
-
- return result;
-}
-
-
-NTSTATUS rpccli_lsa_query_trusted_domain_info_by_sid(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol,
- uint16 info_class, DOM_SID *dom_sid,
- LSA_TRUSTED_DOMAIN_INFO **info)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_SID q;
- LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Marshall data and send request */
-
- init_q_query_trusted_domain_info_by_sid(&q, pol, info_class, dom_sid);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYSID,
- q, r,
- qbuf, rbuf,
- lsa_io_q_query_trusted_domain_info_by_sid,
- lsa_io_r_query_trusted_domain_info,
- NT_STATUS_UNSUCCESSFUL);
-
- result = r.status;
-
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- *info = r.info;
-
-done:
-
- return result;
-}
-
-NTSTATUS rpccli_lsa_query_trusted_domain_info_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol,
- uint16 info_class, const char *domain_name,
- LSA_TRUSTED_DOMAIN_INFO **info)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_NAME q;
- LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Marshall data and send request */
-
- init_q_query_trusted_domain_info_by_name(&q, pol, info_class, domain_name);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYNAME,
- q, r,
- qbuf, rbuf,
- lsa_io_q_query_trusted_domain_info_by_name,
- lsa_io_r_query_trusted_domain_info,
- NT_STATUS_UNSUCCESSFUL);
-
- result = r.status;
-
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- *info = r.info;
-
-done:
-
- return result;
-}
-
-NTSTATUS cli_lsa_query_domain_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
- POLICY_HND *pol,
- uint16 info_class, LSA_DOM_INFO_UNION **info)
-{
- prs_struct qbuf, rbuf;
- LSA_Q_QUERY_DOM_INFO_POLICY q;
- LSA_R_QUERY_DOM_INFO_POLICY r;
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-
- ZERO_STRUCT(q);
- ZERO_STRUCT(r);
-
- /* Marshall data and send request */
-
- init_q_query_dom_info(&q, pol, info_class);
-
- CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYDOMINFOPOL,
- q, r,
- qbuf, rbuf,
- lsa_io_q_query_dom_info,
- lsa_io_r_query_dom_info,
- NT_STATUS_UNSUCCESSFUL);
-
- result = r.status;
-
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- *info = r.info;
-
-done:
- return result;
-}
-