2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
8 Copyright (C) Michael Adam 2007.
9 Copyright (C) Guenther Deschner 2008.
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 /** @defgroup lsa LSA - Local Security Architecture
36 * RPC client routines for the LSA RPC pipe. LSA means "local
37 * security authority", which is half of a password database.
40 /** Open a LSA policy handle
42 * @param cli Handle on an initialised SMB connection */
44 NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
46 bool sec_qos, uint32 des_access,
49 struct lsa_ObjectAttribute attr;
50 struct lsa_QosInfo qos;
51 uint16_t system_name = '\\';
54 init_lsa_sec_qos(&qos, 0xc, 2, 1, 0);
55 init_lsa_obj_attr(&attr,
63 init_lsa_obj_attr(&attr,
72 return rpccli_lsa_OpenPolicy(cli, mem_ctx,
79 /** Open a LSA policy handle
81 * @param cli Handle on an initialised SMB connection
84 NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
85 TALLOC_CTX *mem_ctx, bool sec_qos,
86 uint32 des_access, POLICY_HND *pol)
88 struct lsa_ObjectAttribute attr;
89 struct lsa_QosInfo qos;
92 init_lsa_sec_qos(&qos, 0xc, 2, 1, 0);
93 init_lsa_obj_attr(&attr,
101 init_lsa_obj_attr(&attr,
110 return rpccli_lsa_OpenPolicy2(cli, mem_ctx,
111 cli->cli->srv_name_slash,
117 /* Lookup a list of sids
119 * internal version withOUT memory allocation of the target arrays.
120 * this assumes suffciently sized arrays to store domains, names and types. */
122 static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli,
129 enum lsa_SidType *types)
131 NTSTATUS result = NT_STATUS_OK;
132 TALLOC_CTX *tmp_ctx = NULL;
134 struct lsa_SidArray sid_array;
135 struct lsa_RefDomainList *ref_domains = NULL;
136 struct lsa_TransNameArray lsa_names;
140 ZERO_STRUCT(lsa_names);
142 tmp_ctx = talloc_new(mem_ctx);
144 DEBUG(0, ("rpccli_lsa_lookup_sids_noalloc: out of memory!\n"));
145 result = NT_STATUS_UNSUCCESSFUL;
149 sid_array.num_sids = num_sids;
150 sid_array.sids = TALLOC_ARRAY(mem_ctx, struct lsa_SidPtr, num_sids);
151 if (!sid_array.sids) {
152 return NT_STATUS_NO_MEMORY;
155 for (i = 0; i<num_sids; i++) {
156 sid_array.sids[i].sid = sid_dup_talloc(mem_ctx, &sids[i]);
157 if (!sid_array.sids[i].sid) {
158 return NT_STATUS_NO_MEMORY;
162 result = rpccli_lsa_LookupSids(cli, mem_ctx,
170 DEBUG(10, ("LSA_LOOKUPSIDS returned '%s', mapped count = %d'\n",
171 nt_errstr(result), count));
173 if (!NT_STATUS_IS_OK(result) &&
174 !NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) &&
175 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED))
177 /* An actual error occured */
181 /* Return output parameters */
183 if (NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) ||
186 for (i = 0; i < num_sids; i++) {
189 (types)[i] = SID_NAME_UNKNOWN;
191 result = NT_STATUS_NONE_MAPPED;
195 for (i = 0; i < num_sids; i++) {
196 const char *name, *dom_name;
197 uint32_t dom_idx = lsa_names.names[i].sid_index;
199 /* Translate optimised name through domain index array */
201 if (dom_idx != 0xffffffff) {
203 dom_name = ref_domains->domains[dom_idx].name.string;
204 name = lsa_names.names[i].name.string;
206 (names)[i] = talloc_strdup(mem_ctx, name);
207 (domains)[i] = talloc_strdup(mem_ctx, dom_name);
208 (types)[i] = lsa_names.names[i].sid_type;
210 if (((names)[i] == NULL) || ((domains)[i] == NULL)) {
211 DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
212 result = NT_STATUS_UNSUCCESSFUL;
219 (types)[i] = SID_NAME_UNKNOWN;
224 TALLOC_FREE(tmp_ctx);
228 /* Lookup a list of sids
230 * do it the right way: there is a limit (of 20480 for w2k3) entries
231 * returned by this call. when the sids list contains more entries,
232 * empty lists are returned. This version of lsa_lookup_sids passes
233 * the list of sids in hunks of LOOKUP_SIDS_HUNK_SIZE to the lsa call. */
235 /* This constant defines the limit of how many sids to look up
236 * in one call (maximum). the limit from the server side is
237 * at 20480 for win2k3, but we keep it at a save 1000 for now. */
238 #define LOOKUP_SIDS_HUNK_SIZE 1000
240 NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
247 enum lsa_SidType **ptypes)
249 NTSTATUS result = NT_STATUS_OK;
251 int sids_processed = 0;
252 const DOM_SID *hunk_sids = sids;
255 enum lsa_SidType *hunk_types;
256 char **domains = NULL;
258 enum lsa_SidType *types = NULL;
261 if (!(domains = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
262 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
263 result = NT_STATUS_NO_MEMORY;
267 if (!(names = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
268 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
269 result = NT_STATUS_NO_MEMORY;
273 if (!(types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_sids))) {
274 DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
275 result = NT_STATUS_NO_MEMORY;
280 sids_left = num_sids;
281 hunk_domains = domains;
285 while (sids_left > 0) {
287 NTSTATUS hunk_result = NT_STATUS_OK;
289 hunk_num_sids = ((sids_left > LOOKUP_SIDS_HUNK_SIZE)
290 ? LOOKUP_SIDS_HUNK_SIZE
293 DEBUG(10, ("rpccli_lsa_lookup_sids: processing items "
296 sids_processed + hunk_num_sids - 1,
299 hunk_result = rpccli_lsa_lookup_sids_noalloc(cli,
308 if (!NT_STATUS_IS_OK(hunk_result) &&
309 !NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) &&
310 !NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED))
312 /* An actual error occured */
313 result = hunk_result;
317 /* adapt overall result */
318 if (( NT_STATUS_IS_OK(result) &&
319 !NT_STATUS_IS_OK(hunk_result))
321 ( NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) &&
322 !NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED)))
324 result = STATUS_SOME_UNMAPPED;
327 sids_left -= hunk_num_sids;
328 sids_processed += hunk_num_sids; /* only used in DEBUG */
329 hunk_sids += hunk_num_sids;
330 hunk_domains += hunk_num_sids;
331 hunk_names += hunk_num_sids;
332 hunk_types += hunk_num_sids;
341 TALLOC_FREE(domains);
347 /** Lookup a list of names */
349 NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
351 POLICY_HND *pol, int num_names,
353 const char ***dom_names,
356 enum lsa_SidType **types)
360 struct lsa_String *lsa_names = NULL;
361 struct lsa_RefDomainList *domains = NULL;
362 struct lsa_TransSidArray sid_array;
365 ZERO_STRUCT(sid_array);
367 lsa_names = TALLOC_ARRAY(mem_ctx, struct lsa_String, num_names);
369 return NT_STATUS_NO_MEMORY;
372 for (i=0; i<num_names; i++) {
373 init_lsa_String(&lsa_names[i], names[i]);
376 result = rpccli_lsa_LookupNames(cli, mem_ctx,
385 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
386 NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
388 /* An actual error occured */
393 /* Return output parameters */
396 result = NT_STATUS_NONE_MAPPED;
401 if (!((*sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_names)))) {
402 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
403 result = NT_STATUS_NO_MEMORY;
407 if (!((*types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_names)))) {
408 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
409 result = NT_STATUS_NO_MEMORY;
413 if (dom_names != NULL) {
414 *dom_names = TALLOC_ARRAY(mem_ctx, const char *, num_names);
415 if (*dom_names == NULL) {
416 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
417 result = NT_STATUS_NO_MEMORY;
424 if (dom_names != NULL) {
429 for (i = 0; i < num_names; i++) {
430 uint32_t dom_idx = sid_array.sids[i].sid_index;
431 uint32_t dom_rid = sid_array.sids[i].rid;
432 DOM_SID *sid = &(*sids)[i];
434 /* Translate optimised sid through domain index array */
436 if (dom_idx == 0xffffffff) {
437 /* Nothing to do, this is unknown */
439 (*types)[i] = SID_NAME_UNKNOWN;
443 sid_copy(sid, domains->domains[dom_idx].sid);
445 if (dom_rid != 0xffffffff) {
446 sid_append_rid(sid, dom_rid);
449 (*types)[i] = sid_array.sids[i].sid_type;
451 if (dom_names == NULL) {
455 (*dom_names)[i] = domains->domains[dom_idx].name.string;
465 /** An example of how to use the routines in this file. Fetch a DOMAIN
466 sid. Does complete cli setup / teardown anonymously. */
468 bool fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
470 struct cli_state cli;
476 if(cli_initialise(&cli) == False) {
477 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
481 if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
482 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
486 if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
487 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
488 machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
492 if (!attempt_netbios_session_request(&cli, global_myname(), remote_machine, &cli.dest_ip)) {
493 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
498 cli.protocol = PROTOCOL_NT1;
500 if (!cli_negprot(&cli)) {
501 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
502 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
506 if (cli.protocol != PROTOCOL_NT1) {
507 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
513 * Do an anonymous session setup.
516 if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
517 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
518 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
522 if (!(cli.sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
523 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
528 if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
529 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
530 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
534 /* Fetch domain sid */
536 if (!cli_nt_session_open(&cli, PI_LSARPC)) {
537 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
541 result = cli_lsa_open_policy(&cli, cli.mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
542 if (!NT_STATUS_IS_OK(result)) {
543 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
544 nt_errstr(result) ));
548 result = cli_lsa_query_info_policy(&cli, cli.mem_ctx, &lsa_pol, 5, domain, psid);
549 if (!NT_STATUS_IS_OK(result)) {
550 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
551 nt_errstr(result) ));