r4202: added smbclient commands "addprivileges" and "delprivileges" for

easily adding/removing privileges from users

diff --git a/source/client/client.c b/source/client/client.c
index 1bad697da7289fa265b887cd8177b6ebd36b6afa..b234a47e2c258a1a5446f4fba75ad94b9b8626b1 100644 (file)
--- a/source/client/client.c
+++ b/source/client/client.c
@@ -1909,7 +1909,7 @@ static int cmd_privileges(const char **cmd_ptr)
        unsigned i;
 
        if (!next_token(cmd_ptr,buf,NULL,sizeof(buf))) {
-               d_printf("lookupsid <sid>\n");
+               d_printf("privileges <sid|name>\n");
                talloc_free(mem_ctx);
                return 1;
        }
@@ -1943,6 +1943,107 @@ static int cmd_privileges(const char **cmd_ptr)
 }
 
 
+/****************************************************************************
+add privileges for a user
+****************************************************************************/
+static int cmd_addprivileges(const char **cmd_ptr)
+{
+       fstring buf;
+       TALLOC_CTX *mem_ctx = talloc(NULL, 0);
+       NTSTATUS status;
+       struct dom_sid *sid;
+       struct lsa_RightSet rights;
+
+       if (!next_token(cmd_ptr,buf,NULL,sizeof(buf))) {
+               d_printf("addprivileges <sid> <privilege...>\n");
+               talloc_free(mem_ctx);
+               return 1;
+       }
+
+       sid = dom_sid_parse_talloc(mem_ctx, buf);
+       if (sid == NULL) {
+               const char *sid_str;
+               status = smblsa_lookup_name(cli, buf, mem_ctx, &sid_str);
+               if (!NT_STATUS_IS_OK(status)) {
+                       d_printf("lsa_LookupNames - %s\n", nt_errstr(status));
+                       talloc_free(mem_ctx);
+                       return 1;
+               }
+               sid = dom_sid_parse_talloc(mem_ctx, sid_str);
+       }
+
+       ZERO_STRUCT(rights);
+       while (next_token(cmd_ptr,buf,NULL,sizeof(buf))) {
+               rights.names = talloc_realloc_p(mem_ctx, rights.names, 
+                                               struct lsa_String, rights.count+1);
+               rights.names[rights.count].string = talloc_strdup(mem_ctx, buf);
+               rights.count++;
+       }
+
+
+       status = smblsa_sid_add_privileges(cli, sid, mem_ctx, &rights);
+       if (!NT_STATUS_IS_OK(status)) {
+               d_printf("lsa_AddAccountRights - %s\n", nt_errstr(status));
+               talloc_free(mem_ctx);
+               return 1;
+       }
+
+       talloc_free(mem_ctx);
+
+       return 0;
+}
+
+/****************************************************************************
+delete privileges for a user
+****************************************************************************/
+static int cmd_delprivileges(const char **cmd_ptr)
+{
+       fstring buf;
+       TALLOC_CTX *mem_ctx = talloc(NULL, 0);
+       NTSTATUS status;
+       struct dom_sid *sid;
+       struct lsa_RightSet rights;
+
+       if (!next_token(cmd_ptr,buf,NULL,sizeof(buf))) {
+               d_printf("delprivileges <sid> <privilege...>\n");
+               talloc_free(mem_ctx);
+               return 1;
+       }
+
+       sid = dom_sid_parse_talloc(mem_ctx, buf);
+       if (sid == NULL) {
+               const char *sid_str;
+               status = smblsa_lookup_name(cli, buf, mem_ctx, &sid_str);
+               if (!NT_STATUS_IS_OK(status)) {
+                       d_printf("lsa_LookupNames - %s\n", nt_errstr(status));
+                       talloc_free(mem_ctx);
+                       return 1;
+               }
+               sid = dom_sid_parse_talloc(mem_ctx, sid_str);
+       }
+
+       ZERO_STRUCT(rights);
+       while (next_token(cmd_ptr,buf,NULL,sizeof(buf))) {
+               rights.names = talloc_realloc_p(mem_ctx, rights.names, 
+                                               struct lsa_String, rights.count+1);
+               rights.names[rights.count].string = talloc_strdup(mem_ctx, buf);
+               rights.count++;
+       }
+
+
+       status = smblsa_sid_del_privileges(cli, sid, mem_ctx, &rights);
+       if (!NT_STATUS_IS_OK(status)) {
+               d_printf("lsa_RemoveAccountRights - %s\n", nt_errstr(status));
+               talloc_free(mem_ctx);
+               return 1;
+       }
+
+       talloc_free(mem_ctx);
+
+       return 0;
+}
+
+
 /****************************************************************************
 ****************************************************************************/
 static int cmd_open(const char **cmd_ptr)
@@ -2492,6 +2593,7 @@ static struct
 } commands[] = 
 {
   {"?",cmd_help,"[command] give help on a command",{COMPL_NONE,COMPL_NONE}},
+  {"addprivileges",cmd_addprivileges,"<sid|user> <privilege...> add privileges for a user",{COMPL_NONE,COMPL_NONE}},
   {"altname",cmd_altname,"<file> show alt name",{COMPL_NONE,COMPL_NONE}},
   {"acl",cmd_acl,"<file> show file ACL",{COMPL_NONE,COMPL_NONE}},
   {"allinfo",cmd_allinfo,"<file> show all possible info about a file",{COMPL_NONE,COMPL_NONE}},
@@ -2501,6 +2603,7 @@ static struct
   {"chmod",cmd_chmod,"<src> <mode> chmod a file using UNIX permission",{COMPL_REMOTE,COMPL_REMOTE}},
   {"chown",cmd_chown,"<src> <uid> <gid> chown a file using UNIX uids and gids",{COMPL_REMOTE,COMPL_REMOTE}},
   {"del",cmd_del,"<mask> delete all matching files",{COMPL_REMOTE,COMPL_NONE}},
+  {"delprivileges",cmd_delprivileges,"<sid|user> <privilege...> remove privileges for a user",{COMPL_NONE,COMPL_NONE}},
   {"deltree",cmd_deltree,"<dir> delete a whole directory tree",{COMPL_REMOTE,COMPL_NONE}},
   {"dir",cmd_dir,"<mask> list the contents of the current directory",{COMPL_REMOTE,COMPL_NONE}},
   {"du",cmd_du,"<mask> computes the total size of the current directory",{COMPL_REMOTE,COMPL_NONE}},

diff --git a/source/libcli/util/clilsa.c b/source/libcli/util/clilsa.c
index c3c7f8cc777930af5a2e0951af7485931ca9355b..4204adcc07712cf6995a3ba5344178c806e8dc19 100644 (file)
--- a/source/libcli/util/clilsa.c
+++ b/source/libcli/util/clilsa.c
@@ -297,3 +297,49 @@ NTSTATUS smblsa_lookup_name(struct smbcli_state *cli,
 
        return NT_STATUS_OK;    
 }
+
+
+/*
+  add a set of privileges to the given sid
+*/
+NTSTATUS smblsa_sid_add_privileges(struct smbcli_state *cli, struct dom_sid *sid, 
+                                  TALLOC_CTX *mem_ctx,
+                                  struct lsa_RightSet *rights)
+{
+       NTSTATUS status;
+       struct lsa_AddAccountRights r;
+
+       status = smblsa_connect(cli);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       r.in.handle = &cli->lsa->handle;
+       r.in.sid = sid;
+       r.in.rights = rights;
+
+       return dcerpc_lsa_AddAccountRights(cli->lsa->pipe, mem_ctx, &r);
+}
+
+/*
+  remove a set of privileges from the given sid
+*/
+NTSTATUS smblsa_sid_del_privileges(struct smbcli_state *cli, struct dom_sid *sid, 
+                                  TALLOC_CTX *mem_ctx,
+                                  struct lsa_RightSet *rights)
+{
+       NTSTATUS status;
+       struct lsa_RemoveAccountRights r;
+
+       status = smblsa_connect(cli);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       r.in.handle = &cli->lsa->handle;
+       r.in.sid = sid;
+       r.in.unknown = 0;
+       r.in.rights = rights;
+
+       return dcerpc_lsa_RemoveAccountRights(cli->lsa->pipe, mem_ctx, &r);
+}

diff --git a/source/rpc_server/lsa/dcesrv_lsa.c b/source/rpc_server/lsa/dcesrv_lsa.c
index af96b46102ea28b36345de82b1855fa0857f452a..22e108d5380f2920354b6cb8594c15ee4b3fc8a5 100644 (file)
--- a/source/rpc_server/lsa/dcesrv_lsa.c
+++ b/source/rpc_server/lsa/dcesrv_lsa.c
@@ -1084,6 +1084,9 @@ static NTSTATUS lsa_AddRemoveAccountRights(struct dcesrv_call_state *dce_call,
 
        ret = samdb_modify(state->sam_ctx, mem_ctx, &msg);
        if (ret != 0) {
+               if (ldb_flag == LDB_FLAG_MOD_DELETE) {
+                       return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+               }
                return NT_STATUS_UNEXPECTED_IO_ERROR;
        }