2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /** @defgroup lsa LSA - Local Security Architecture
35 * RPC client routines for the LSA RPC pipe. LSA means "local
36 * security authority", which is half of a password database.
39 /** Open a LSA policy handle
41 * @param cli Handle on an initialised SMB connection */
43 NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
45 BOOL sec_qos, uint32 des_access,
48 prs_struct qbuf, rbuf;
57 /* Initialise input parameters */
60 init_lsa_sec_qos(&qos, 2, 1, 0);
61 init_q_open_pol(&q, '\\', 0, des_access, &qos);
63 init_q_open_pol(&q, '\\', 0, des_access, NULL);
66 /* Marshall data and send request */
68 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY,
73 NT_STATUS_UNSUCCESSFUL );
75 /* Return output parameters */
79 if (NT_STATUS_IS_OK(result)) {
86 /** Open a LSA policy handle
88 * @param cli Handle on an initialised SMB connection
91 NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
92 TALLOC_CTX *mem_ctx, BOOL sec_qos,
93 uint32 des_access, POLICY_HND *pol)
95 prs_struct qbuf, rbuf;
100 char *srv_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", cli->cli->desthost);
106 init_lsa_sec_qos(&qos, 2, 1, 0);
107 init_q_open_pol2(&q, srv_name_slash, 0, des_access, &qos);
109 init_q_open_pol2(&q, srv_name_slash, 0, des_access, NULL);
112 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY2,
117 NT_STATUS_UNSUCCESSFUL );
119 /* Return output parameters */
123 if (NT_STATUS_IS_OK(result)) {
130 /* Lookup a list of sids
132 * internal version withOUT memory allocation of the target arrays.
133 * this assumes suffciently sized arrays to store domains, names and types. */
135 static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli,
142 enum lsa_SidType *types)
144 prs_struct qbuf, rbuf;
148 NTSTATUS result = NT_STATUS_OK;
149 TALLOC_CTX *tmp_ctx = NULL;
152 tmp_ctx = talloc_new(mem_ctx);
154 DEBUG(0, ("rpccli_lsa_lookup_sids_noalloc: out of memory!\n"));
155 result = NT_STATUS_UNSUCCESSFUL;
162 init_q_lookup_sids(tmp_ctx, &q, pol, num_sids, sids, 1);
168 CLI_DO_RPC( cli, tmp_ctx, PI_LSARPC, LSA_LOOKUPSIDS,
171 lsa_io_q_lookup_sids,
172 lsa_io_r_lookup_sids,
173 NT_STATUS_UNSUCCESSFUL );
175 if (!NT_STATUS_IS_OK(r.status) &&
176 !NT_STATUS_EQUAL(r.status, STATUS_SOME_UNMAPPED))
178 /* An actual error occured */
183 /* Return output parameters */
185 if (r.mapped_count == 0) {
186 result = NT_STATUS_NONE_MAPPED;
190 for (i = 0; i < num_sids; i++) {
191 fstring name, dom_name;
192 uint32 dom_idx = r.names.name[i].domain_idx;
194 /* Translate optimised name through domain index array */
196 if (dom_idx != 0xffffffff) {
198 rpcstr_pull_unistr2_fstring(
199 dom_name, &ref.ref_dom[dom_idx].uni_dom_name);
200 rpcstr_pull_unistr2_fstring(
201 name, &r.names.uni_name[i]);
203 (names)[i] = talloc_strdup(mem_ctx, name);
204 (domains)[i] = talloc_strdup(mem_ctx, dom_name);
205 (types)[i] = (enum lsa_SidType)r.names.name[i].sid_name_use;
207 if (((names)[i] == NULL) || ((domains)[i] == NULL)) {
208 DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
209 result = NT_STATUS_UNSUCCESSFUL;
216 (types)[i] = SID_NAME_UNKNOWN;
221 TALLOC_FREE(tmp_ctx);
225 /* Lookup a list of sids
227 * do it the right way: there is a limit (of 20480 for w2k3) entries
228 * returned by this call. when the sids list contains more entries,
229 * empty lists are returned. This version of lsa_lookup_sids passes
230 * the list of sids in hunks of LOOKUP_SIDS_HUNK_SIZE to the lsa call. */
232 /* This constant defines the limit of how many sids to look up
233 * in one call (maximum). the limit from the server side is
234 * at 20480 for win2k3, but we keep it at a save 1000 for now. */
235 #define LOOKUP_SIDS_HUNK_SIZE 1000
237 NTSTATUS rpccli_lsa_lookup_sids_all(struct rpc_pipe_client *cli,
244 enum lsa_SidType **types)
246 NTSTATUS result = NT_STATUS_OK;
248 int sids_processed = 0;
249 const DOM_SID *hunk_sids = sids;
250 char **hunk_domains = NULL;
251 char **hunk_names = NULL;
252 enum lsa_SidType *hunk_types = NULL;
255 if (!((*domains) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
256 DEBUG(0, ("rpccli_lsa_lookup_sids_all(): out of memory\n"));
257 result = NT_STATUS_NO_MEMORY;
261 if (!((*names) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
262 DEBUG(0, ("rpccli_lsa_lookup_sids_all(): out of memory\n"));
263 result = NT_STATUS_NO_MEMORY;
267 if (!((*types) = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_sids))) {
268 DEBUG(0, ("rpccli_lsa_lookup_sids_all(): out of memory\n"));
269 result = NT_STATUS_NO_MEMORY;
278 sids_left = num_sids;
279 hunk_domains = *domains;
283 while (sids_left > 0) {
285 NTSTATUS hunk_result = NT_STATUS_OK;
287 hunk_num_sids = ((sids_left > LOOKUP_SIDS_HUNK_SIZE)
288 ? LOOKUP_SIDS_HUNK_SIZE
291 DEBUG(10, ("rpccli_lsa_lookup_sids_all: processing items "
294 sids_processed + hunk_num_sids - 1,
297 hunk_result = rpccli_lsa_lookup_sids_noalloc(cli,
306 if (!NT_STATUS_IS_OK(hunk_result) &&
307 !NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) &&
308 !NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED))
310 /* An actual error occured */
314 /* adapt overall result */
315 if (( NT_STATUS_IS_OK(result) &&
316 !NT_STATUS_IS_OK(hunk_result))
318 ( NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) &&
319 !NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED)))
321 result = STATUS_SOME_UNMAPPED;
324 sids_left -= hunk_num_sids;
325 sids_processed += hunk_num_sids; /* only used in DEBUG */
326 hunk_sids += hunk_num_sids;
327 hunk_domains += hunk_num_sids;
328 hunk_names += hunk_num_sids;
329 hunk_types += hunk_num_sids;
336 /** Lookup a list of sids */
338 NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
340 POLICY_HND *pol, int num_sids,
344 enum lsa_SidType **types)
346 prs_struct qbuf, rbuf;
350 NTSTATUS result = NT_STATUS_OK;
356 init_q_lookup_sids(mem_ctx, &q, pol, num_sids, sids, 1);
362 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPSIDS,
365 lsa_io_q_lookup_sids,
366 lsa_io_r_lookup_sids,
367 NT_STATUS_UNSUCCESSFUL );
369 if (!NT_STATUS_IS_OK(r.status) &&
370 !NT_STATUS_EQUAL(r.status, STATUS_SOME_UNMAPPED)) {
372 /* An actual error occured */
378 /* Return output parameters */
380 if (r.mapped_count == 0) {
381 result = NT_STATUS_NONE_MAPPED;
386 if (!((*domains) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
387 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
388 result = NT_STATUS_NO_MEMORY;
392 if (!((*names) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
393 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
394 result = NT_STATUS_NO_MEMORY;
398 if (!((*types) = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_sids))) {
399 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
400 result = NT_STATUS_NO_MEMORY;
409 for (i = 0; i < num_sids; i++) {
410 fstring name, dom_name;
411 uint32 dom_idx = r.names.name[i].domain_idx;
413 /* Translate optimised name through domain index array */
415 if (dom_idx != 0xffffffff) {
417 rpcstr_pull_unistr2_fstring(
418 dom_name, &ref.ref_dom[dom_idx].uni_dom_name);
419 rpcstr_pull_unistr2_fstring(
420 name, &r.names.uni_name[i]);
422 (*names)[i] = talloc_strdup(mem_ctx, name);
423 (*domains)[i] = talloc_strdup(mem_ctx, dom_name);
424 (*types)[i] = (enum lsa_SidType)r.names.name[i].sid_name_use;
426 if (((*names)[i] == NULL) || ((*domains)[i] == NULL)) {
427 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
428 result = NT_STATUS_UNSUCCESSFUL;
434 (*domains)[i] = NULL;
435 (*types)[i] = SID_NAME_UNKNOWN;
444 /** Lookup a list of names */
446 NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
448 POLICY_HND *pol, int num_names,
450 const char ***dom_names,
453 enum lsa_SidType **types)
455 prs_struct qbuf, rbuf;
456 LSA_Q_LOOKUP_NAMES q;
457 LSA_R_LOOKUP_NAMES r;
468 init_q_lookup_names(mem_ctx, &q, pol, num_names, names, level);
470 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPNAMES,
473 lsa_io_q_lookup_names,
474 lsa_io_r_lookup_names,
475 NT_STATUS_UNSUCCESSFUL);
479 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
480 NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
482 /* An actual error occured */
487 /* Return output parameters */
489 if (r.mapped_count == 0) {
490 result = NT_STATUS_NONE_MAPPED;
495 if (!((*sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_names)))) {
496 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
497 result = NT_STATUS_NO_MEMORY;
501 if (!((*types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_names)))) {
502 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
503 result = NT_STATUS_NO_MEMORY;
507 if (dom_names != NULL) {
508 *dom_names = TALLOC_ARRAY(mem_ctx, const char *, num_names);
509 if (*dom_names == NULL) {
510 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
511 result = NT_STATUS_NO_MEMORY;
518 if (dom_names != NULL) {
523 for (i = 0; i < num_names; i++) {
524 DOM_RID *t_rids = r.dom_rid;
525 uint32 dom_idx = t_rids[i].rid_idx;
526 uint32 dom_rid = t_rids[i].rid;
527 DOM_SID *sid = &(*sids)[i];
529 /* Translate optimised sid through domain index array */
531 if (dom_idx == 0xffffffff) {
532 /* Nothing to do, this is unknown */
534 (*types)[i] = SID_NAME_UNKNOWN;
538 sid_copy(sid, &ref.ref_dom[dom_idx].ref_dom.sid);
540 if (dom_rid != 0xffffffff) {
541 sid_append_rid(sid, dom_rid);
544 (*types)[i] = (enum lsa_SidType)t_rids[i].type;
546 if (dom_names == NULL) {
550 (*dom_names)[i] = rpcstr_pull_unistr2_talloc(
551 *dom_names, &ref.ref_dom[dom_idx].uni_dom_name);
559 NTSTATUS rpccli_lsa_query_info_policy_new(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
560 POLICY_HND *pol, uint16 info_class,
563 prs_struct qbuf, rbuf;
571 init_q_query(&q, pol, info_class);
573 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
578 NT_STATUS_UNSUCCESSFUL);
582 if (!NT_STATUS_IS_OK(result)) {
593 NTSTATUS rpccli_lsa_query_info_policy2_new(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
594 POLICY_HND *pol, uint16 info_class,
597 prs_struct qbuf, rbuf;
605 init_q_query2(&q, pol, info_class);
607 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
610 lsa_io_q_query_info2,
611 lsa_io_r_query_info2,
612 NT_STATUS_UNSUCCESSFUL);
616 if (!NT_STATUS_IS_OK(result)) {
629 /** Query info policy
631 * @param domain_sid - returned remote server's domain sid */
633 NTSTATUS rpccli_lsa_query_info_policy(struct rpc_pipe_client *cli,
635 POLICY_HND *pol, uint16 info_class,
636 char **domain_name, DOM_SID **domain_sid)
638 prs_struct qbuf, rbuf;
646 init_q_query(&q, pol, info_class);
648 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
653 NT_STATUS_UNSUCCESSFUL);
657 if (!NT_STATUS_IS_OK(result)) {
661 /* Return output parameters */
663 switch (info_class) {
666 if (domain_name && (r.ctr.info.id3.buffer_dom_name != 0)) {
667 *domain_name = unistr2_tdup(mem_ctx,
671 return NT_STATUS_NO_MEMORY;
675 if (domain_sid && (r.ctr.info.id3.buffer_dom_sid != 0)) {
676 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
678 return NT_STATUS_NO_MEMORY;
680 sid_copy(*domain_sid, &r.ctr.info.id3.dom_sid.sid);
687 if (domain_name && (r.ctr.info.id5.buffer_dom_name != 0)) {
688 *domain_name = unistr2_tdup(mem_ctx,
692 return NT_STATUS_NO_MEMORY;
696 if (domain_sid && (r.ctr.info.id5.buffer_dom_sid != 0)) {
697 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
699 return NT_STATUS_NO_MEMORY;
701 sid_copy(*domain_sid, &r.ctr.info.id5.dom_sid.sid);
706 DEBUG(3, ("unknown info class %d\n", info_class));
715 /** Query info policy2
717 * @param domain_name - returned remote server's domain name
718 * @param dns_name - returned remote server's dns domain name
719 * @param forest_name - returned remote server's forest name
720 * @param domain_guid - returned remote server's domain guid
721 * @param domain_sid - returned remote server's domain sid */
723 NTSTATUS rpccli_lsa_query_info_policy2(struct rpc_pipe_client *cli,
725 POLICY_HND *pol, uint16 info_class,
726 char **domain_name, char **dns_name,
728 struct GUID **domain_guid,
729 DOM_SID **domain_sid)
731 prs_struct qbuf, rbuf;
734 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
736 if (info_class != 12)
742 init_q_query2(&q, pol, info_class);
744 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
747 lsa_io_q_query_info2,
748 lsa_io_r_query_info2,
749 NT_STATUS_UNSUCCESSFUL);
753 if (!NT_STATUS_IS_OK(result)) {
757 /* Return output parameters */
759 ZERO_STRUCTP(domain_guid);
761 if (domain_name && r.ctr.info.id12.hdr_nb_dom_name.buffer) {
762 *domain_name = unistr2_tdup(mem_ctx,
766 return NT_STATUS_NO_MEMORY;
769 if (dns_name && r.ctr.info.id12.hdr_dns_dom_name.buffer) {
770 *dns_name = unistr2_tdup(mem_ctx,
774 return NT_STATUS_NO_MEMORY;
777 if (forest_name && r.ctr.info.id12.hdr_forest_name.buffer) {
778 *forest_name = unistr2_tdup(mem_ctx,
782 return NT_STATUS_NO_MEMORY;
787 *domain_guid = TALLOC_P(mem_ctx, struct GUID);
789 return NT_STATUS_NO_MEMORY;
792 &r.ctr.info.id12.dom_guid,
793 sizeof(struct GUID));
796 if (domain_sid && r.ctr.info.id12.ptr_dom_sid != 0) {
797 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
799 return NT_STATUS_NO_MEMORY;
801 sid_copy(*domain_sid,
802 &r.ctr.info.id12.dom_sid.sid);
810 NTSTATUS rpccli_lsa_set_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
811 POLICY_HND *pol, uint16 info_class,
814 prs_struct qbuf, rbuf;
822 init_q_set(&q, pol, info_class, ctr);
824 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_SETINFOPOLICY,
829 NT_STATUS_UNSUCCESSFUL);
833 if (!NT_STATUS_IS_OK(result)) {
837 /* Return output parameters */
846 * Enumerate list of trusted domains
848 * @param cli client state (cli_state) structure of the connection
849 * @param mem_ctx memory context
850 * @param pol opened lsa policy handle
851 * @param enum_ctx enumeration context ie. index of first returned domain entry
852 * @param pref_num_domains preferred max number of entries returned in one response
853 * @param num_domains total number of trusted domains returned by response
854 * @param domain_names returned trusted domain names
855 * @param domain_sids returned trusted domain sids
857 * @return nt status code of response
860 NTSTATUS rpccli_lsa_enum_trust_dom(struct rpc_pipe_client *cli,
862 POLICY_HND *pol, uint32 *enum_ctx,
864 char ***domain_names, DOM_SID **domain_sids)
866 prs_struct qbuf, rbuf;
867 LSA_Q_ENUM_TRUST_DOM in;
868 LSA_R_ENUM_TRUST_DOM out;
875 /* 64k is enough for about 2000 trusted domains */
877 init_q_enum_trust_dom(&in, pol, *enum_ctx, 0x10000);
879 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMTRUSTDOM,
882 lsa_io_q_enum_trust_dom,
883 lsa_io_r_enum_trust_dom,
884 NT_STATUS_UNSUCCESSFUL );
887 /* check for an actual error */
889 if ( !NT_STATUS_IS_OK(out.status)
890 && !NT_STATUS_EQUAL(out.status, NT_STATUS_NO_MORE_ENTRIES)
891 && !NT_STATUS_EQUAL(out.status, STATUS_MORE_ENTRIES) )
896 /* Return output parameters */
898 *num_domains = out.count;
899 *enum_ctx = out.enum_context;
903 /* Allocate memory for trusted domain names and sids */
905 if ( !(*domain_names = TALLOC_ARRAY(mem_ctx, char *, out.count)) ) {
906 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
907 return NT_STATUS_NO_MEMORY;
910 if ( !(*domain_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, out.count)) ) {
911 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
912 return NT_STATUS_NO_MEMORY;
915 /* Copy across names and sids */
917 for (i = 0; i < out.count; i++) {
919 rpcstr_pull( tmp, out.domlist->domains[i].name.string->buffer,
920 sizeof(tmp), out.domlist->domains[i].name.length, 0);
921 (*domain_names)[i] = talloc_strdup(mem_ctx, tmp);
923 sid_copy(&(*domain_sids)[i], &out.domlist->domains[i].sid->sid );
930 /** Enumerate privileges*/
932 NTSTATUS rpccli_lsa_enum_privilege(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
933 POLICY_HND *pol, uint32 *enum_context, uint32 pref_max_length,
934 uint32 *count, char ***privs_name, uint32 **privs_high, uint32 **privs_low)
936 prs_struct qbuf, rbuf;
945 init_q_enum_privs(&q, pol, *enum_context, pref_max_length);
947 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_PRIVS,
952 NT_STATUS_UNSUCCESSFUL);
956 if (!NT_STATUS_IS_OK(result)) {
960 /* Return output parameters */
962 *enum_context = r.enum_context;
966 if (!((*privs_name = TALLOC_ARRAY(mem_ctx, char *, r.count)))) {
967 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
968 result = NT_STATUS_UNSUCCESSFUL;
972 if (!((*privs_high = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
973 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
974 result = NT_STATUS_UNSUCCESSFUL;
978 if (!((*privs_low = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
979 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
980 result = NT_STATUS_UNSUCCESSFUL;
989 for (i = 0; i < r.count; i++) {
992 rpcstr_pull_unistr2_fstring( name, &r.privs[i].name);
994 (*privs_name)[i] = talloc_strdup(mem_ctx, name);
996 (*privs_high)[i] = r.privs[i].luid_high;
997 (*privs_low)[i] = r.privs[i].luid_low;
1005 /** Get privilege name */
1007 NTSTATUS rpccli_lsa_get_dispname(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1008 POLICY_HND *pol, const char *name,
1009 uint16 lang_id, uint16 lang_id_sys,
1010 fstring description, uint16 *lang_id_desc)
1012 prs_struct qbuf, rbuf;
1013 LSA_Q_PRIV_GET_DISPNAME q;
1014 LSA_R_PRIV_GET_DISPNAME r;
1020 init_lsa_priv_get_dispname(&q, pol, name, lang_id, lang_id_sys);
1022 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_PRIV_GET_DISPNAME,
1025 lsa_io_q_priv_get_dispname,
1026 lsa_io_r_priv_get_dispname,
1027 NT_STATUS_UNSUCCESSFUL);
1031 if (!NT_STATUS_IS_OK(result)) {
1035 /* Return output parameters */
1037 rpcstr_pull_unistr2_fstring(description , &r.desc);
1038 *lang_id_desc = r.lang_id;
1045 /** Enumerate list of SIDs */
1047 NTSTATUS rpccli_lsa_enum_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1048 POLICY_HND *pol, uint32 *enum_ctx, uint32 pref_max_length,
1049 uint32 *num_sids, DOM_SID **sids)
1051 prs_struct qbuf, rbuf;
1052 LSA_Q_ENUM_ACCOUNTS q;
1053 LSA_R_ENUM_ACCOUNTS r;
1060 init_lsa_q_enum_accounts(&q, pol, *enum_ctx, pref_max_length);
1062 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_ACCOUNTS,
1065 lsa_io_q_enum_accounts,
1066 lsa_io_r_enum_accounts,
1067 NT_STATUS_UNSUCCESSFUL);
1071 if (!NT_STATUS_IS_OK(result)) {
1075 if (r.sids.num_entries==0)
1078 /* Return output parameters */
1080 *sids = TALLOC_ARRAY(mem_ctx, DOM_SID, r.sids.num_entries);
1082 DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
1083 result = NT_STATUS_UNSUCCESSFUL;
1087 /* Copy across names and sids */
1089 for (i = 0; i < r.sids.num_entries; i++) {
1090 sid_copy(&(*sids)[i], &r.sids.sid[i].sid);
1093 *num_sids= r.sids.num_entries;
1094 *enum_ctx = r.enum_context;
1101 /** Create a LSA user handle
1103 * @param cli Handle on an initialised SMB connection
1105 * FIXME: The code is actually identical to open account
1106 * TODO: Check and code what the function should exactly do
1110 NTSTATUS rpccli_lsa_create_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1111 POLICY_HND *dom_pol, DOM_SID *sid, uint32 desired_access,
1112 POLICY_HND *user_pol)
1114 prs_struct qbuf, rbuf;
1115 LSA_Q_CREATEACCOUNT q;
1116 LSA_R_CREATEACCOUNT r;
1122 /* Initialise input parameters */
1124 init_lsa_q_create_account(&q, dom_pol, sid, desired_access);
1126 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_CREATEACCOUNT,
1129 lsa_io_q_create_account,
1130 lsa_io_r_create_account,
1131 NT_STATUS_UNSUCCESSFUL);
1133 /* Return output parameters */
1137 if (NT_STATUS_IS_OK(result)) {
1144 /** Open a LSA user handle
1146 * @param cli Handle on an initialised SMB connection */
1148 NTSTATUS rpccli_lsa_open_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1149 POLICY_HND *dom_pol, DOM_SID *sid, uint32 des_access,
1150 POLICY_HND *user_pol)
1152 prs_struct qbuf, rbuf;
1153 LSA_Q_OPENACCOUNT q;
1154 LSA_R_OPENACCOUNT r;
1160 /* Initialise input parameters */
1162 init_lsa_q_open_account(&q, dom_pol, sid, des_access);
1164 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENACCOUNT,
1167 lsa_io_q_open_account,
1168 lsa_io_r_open_account,
1169 NT_STATUS_UNSUCCESSFUL);
1171 /* Return output parameters */
1175 if (NT_STATUS_IS_OK(result)) {
1182 /** Enumerate user privileges
1184 * @param cli Handle on an initialised SMB connection */
1186 NTSTATUS rpccli_lsa_enum_privsaccount(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1187 POLICY_HND *pol, uint32 *count, LUID_ATTR **set)
1189 prs_struct qbuf, rbuf;
1190 LSA_Q_ENUMPRIVSACCOUNT q;
1191 LSA_R_ENUMPRIVSACCOUNT r;
1198 /* Initialise input parameters */
1200 init_lsa_q_enum_privsaccount(&q, pol);
1202 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMPRIVSACCOUNT,
1205 lsa_io_q_enum_privsaccount,
1206 lsa_io_r_enum_privsaccount,
1207 NT_STATUS_UNSUCCESSFUL);
1209 /* Return output parameters */
1213 if (!NT_STATUS_IS_OK(result)) {
1220 if (!((*set = TALLOC_ARRAY(mem_ctx, LUID_ATTR, r.count)))) {
1221 DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
1222 result = NT_STATUS_UNSUCCESSFUL;
1226 for (i=0; i<r.count; i++) {
1227 (*set)[i].luid.low = r.set.set[i].luid.low;
1228 (*set)[i].luid.high = r.set.set[i].luid.high;
1229 (*set)[i].attr = r.set.set[i].attr;
1238 /** Get a privilege value given its name */
1240 NTSTATUS rpccli_lsa_lookup_priv_value(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1241 POLICY_HND *pol, const char *name, LUID *luid)
1243 prs_struct qbuf, rbuf;
1244 LSA_Q_LOOKUP_PRIV_VALUE q;
1245 LSA_R_LOOKUP_PRIV_VALUE r;
1251 /* Marshall data and send request */
1253 init_lsa_q_lookup_priv_value(&q, pol, name);
1255 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPPRIVVALUE,
1258 lsa_io_q_lookup_priv_value,
1259 lsa_io_r_lookup_priv_value,
1260 NT_STATUS_UNSUCCESSFUL);
1264 if (!NT_STATUS_IS_OK(result)) {
1268 /* Return output parameters */
1270 (*luid).low=r.luid.low;
1271 (*luid).high=r.luid.high;
1278 /** Query LSA security object */
1280 NTSTATUS rpccli_lsa_query_secobj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1281 POLICY_HND *pol, uint32 sec_info,
1282 SEC_DESC_BUF **psdb)
1284 prs_struct qbuf, rbuf;
1285 LSA_Q_QUERY_SEC_OBJ q;
1286 LSA_R_QUERY_SEC_OBJ r;
1292 /* Marshall data and send request */
1294 init_q_query_sec_obj(&q, pol, sec_info);
1296 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYSECOBJ,
1299 lsa_io_q_query_sec_obj,
1300 lsa_io_r_query_sec_obj,
1301 NT_STATUS_UNSUCCESSFUL);
1305 if (!NT_STATUS_IS_OK(result)) {
1309 /* Return output parameters */
1320 /* Enumerate account rights This is similar to enum_privileges but
1321 takes a SID directly, avoiding the open_account call.
1324 NTSTATUS rpccli_lsa_enum_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1325 POLICY_HND *pol, DOM_SID *sid,
1326 uint32 *count, char ***priv_names)
1328 prs_struct qbuf, rbuf;
1329 LSA_Q_ENUM_ACCT_RIGHTS q;
1330 LSA_R_ENUM_ACCT_RIGHTS r;
1333 fstring *privileges;
1339 /* Marshall data and send request */
1340 init_q_enum_acct_rights(&q, pol, 2, sid);
1342 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMACCTRIGHTS,
1345 lsa_io_q_enum_acct_rights,
1346 lsa_io_r_enum_acct_rights,
1347 NT_STATUS_UNSUCCESSFUL);
1351 if (!NT_STATUS_IS_OK(result)) {
1361 privileges = TALLOC_ARRAY( mem_ctx, fstring, *count );
1362 names = TALLOC_ARRAY( mem_ctx, char *, *count );
1364 if ((privileges == NULL) || (names == NULL)) {
1365 TALLOC_FREE(privileges);
1367 return NT_STATUS_NO_MEMORY;
1370 for ( i=0; i<*count; i++ ) {
1371 UNISTR4 *uni_string = &r.rights->strings[i];
1373 if ( !uni_string->string )
1376 rpcstr_pull( privileges[i], uni_string->string->buffer, sizeof(privileges[i]), -1, STR_TERMINATE );
1378 /* now copy to the return array */
1379 names[i] = talloc_strdup( mem_ctx, privileges[i] );
1382 *priv_names = names;
1391 /* add account rights to an account. */
1393 NTSTATUS rpccli_lsa_add_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1394 POLICY_HND *pol, DOM_SID sid,
1395 uint32 count, const char **privs_name)
1397 prs_struct qbuf, rbuf;
1398 LSA_Q_ADD_ACCT_RIGHTS q;
1399 LSA_R_ADD_ACCT_RIGHTS r;
1405 /* Marshall data and send request */
1406 init_q_add_acct_rights(&q, pol, &sid, count, privs_name);
1408 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ADDACCTRIGHTS,
1411 lsa_io_q_add_acct_rights,
1412 lsa_io_r_add_acct_rights,
1413 NT_STATUS_UNSUCCESSFUL);
1417 if (!NT_STATUS_IS_OK(result)) {
1426 /* remove account rights for an account. */
1428 NTSTATUS rpccli_lsa_remove_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1429 POLICY_HND *pol, DOM_SID sid, BOOL removeall,
1430 uint32 count, const char **privs_name)
1432 prs_struct qbuf, rbuf;
1433 LSA_Q_REMOVE_ACCT_RIGHTS q;
1434 LSA_R_REMOVE_ACCT_RIGHTS r;
1440 /* Marshall data and send request */
1441 init_q_remove_acct_rights(&q, pol, &sid, removeall?1:0, count, privs_name);
1443 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_REMOVEACCTRIGHTS,
1446 lsa_io_q_remove_acct_rights,
1447 lsa_io_r_remove_acct_rights,
1448 NT_STATUS_UNSUCCESSFUL);
1452 if (!NT_STATUS_IS_OK(result)) {
1463 /** An example of how to use the routines in this file. Fetch a DOMAIN
1464 sid. Does complete cli setup / teardown anonymously. */
1466 BOOL fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
1468 extern pstring global_myname;
1469 struct cli_state *cli;
1475 if((cli = cli_initialise()) == NULL) {
1476 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
1480 if(!resolve_name( remote_machine, &cli->dest_ip, 0x20)) {
1481 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
1485 if (!cli_connect(cli, remote_machine, &cli->dest_ip)) {
1486 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
1487 machine %s. Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1491 if (!attempt_netbios_session_request(cli, global_myname, remote_machine, &cli->dest_ip)) {
1492 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
1497 cli->protocol = PROTOCOL_NT1;
1499 if (!cli_negprot(cli)) {
1500 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
1501 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1505 if (cli->protocol != PROTOCOL_NT1) {
1506 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
1512 * Do an anonymous session setup.
1515 if (!cli_session_setup(cli, "", "", 0, "", 0, "")) {
1516 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
1517 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1521 if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
1522 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
1527 if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) {
1528 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
1529 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1533 /* Fetch domain sid */
1535 if (!cli_nt_session_open(cli, PI_LSARPC)) {
1536 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
1540 result = cli_lsa_open_policy(cli, cli->mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
1541 if (!NT_STATUS_IS_OK(result)) {
1542 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
1543 nt_errstr(result) ));
1547 result = cli_lsa_query_info_policy(cli, cli->mem_ctx, &lsa_pol, 5, domain, psid);
1548 if (!NT_STATUS_IS_OK(result)) {
1549 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
1550 nt_errstr(result) ));
1564 NTSTATUS rpccli_lsa_open_trusted_domain(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1565 POLICY_HND *pol, DOM_SID *dom_sid, uint32 access_mask,
1566 POLICY_HND *trustdom_pol)
1568 prs_struct qbuf, rbuf;
1569 LSA_Q_OPEN_TRUSTED_DOMAIN q;
1570 LSA_R_OPEN_TRUSTED_DOMAIN r;
1576 /* Initialise input parameters */
1578 init_lsa_q_open_trusted_domain(&q, pol, dom_sid, access_mask);
1580 /* Marshall data and send request */
1582 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOM,
1585 lsa_io_q_open_trusted_domain,
1586 lsa_io_r_open_trusted_domain,
1587 NT_STATUS_UNSUCCESSFUL);
1589 /* Return output parameters */
1593 if (NT_STATUS_IS_OK(result)) {
1594 *trustdom_pol = r.handle;
1600 NTSTATUS rpccli_lsa_query_trusted_domain_info(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1603 LSA_TRUSTED_DOMAIN_INFO **info)
1605 prs_struct qbuf, rbuf;
1606 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO q;
1607 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1608 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1613 /* Marshall data and send request */
1615 init_q_query_trusted_domain_info(&q, pol, info_class);
1617 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFO,
1620 lsa_io_q_query_trusted_domain_info,
1621 lsa_io_r_query_trusted_domain_info,
1622 NT_STATUS_UNSUCCESSFUL);
1626 if (!NT_STATUS_IS_OK(result)) {
1636 NTSTATUS rpccli_lsa_open_trusted_domain_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1637 POLICY_HND *pol, const char *name, uint32 access_mask,
1638 POLICY_HND *trustdom_pol)
1640 prs_struct qbuf, rbuf;
1641 LSA_Q_OPEN_TRUSTED_DOMAIN_BY_NAME q;
1642 LSA_R_OPEN_TRUSTED_DOMAIN_BY_NAME r;
1648 /* Initialise input parameters */
1650 init_lsa_q_open_trusted_domain_by_name(&q, pol, name, access_mask);
1652 /* Marshall data and send request */
1654 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOMBYNAME,
1657 lsa_io_q_open_trusted_domain_by_name,
1658 lsa_io_r_open_trusted_domain_by_name,
1659 NT_STATUS_UNSUCCESSFUL);
1661 /* Return output parameters */
1665 if (NT_STATUS_IS_OK(result)) {
1666 *trustdom_pol = r.handle;
1673 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_sid(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1675 uint16 info_class, DOM_SID *dom_sid,
1676 LSA_TRUSTED_DOMAIN_INFO **info)
1678 prs_struct qbuf, rbuf;
1679 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_SID q;
1680 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1681 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1686 /* Marshall data and send request */
1688 init_q_query_trusted_domain_info_by_sid(&q, pol, info_class, dom_sid);
1690 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYSID,
1693 lsa_io_q_query_trusted_domain_info_by_sid,
1694 lsa_io_r_query_trusted_domain_info,
1695 NT_STATUS_UNSUCCESSFUL);
1699 if (!NT_STATUS_IS_OK(result)) {
1710 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1712 uint16 info_class, const char *domain_name,
1713 LSA_TRUSTED_DOMAIN_INFO **info)
1715 prs_struct qbuf, rbuf;
1716 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_NAME q;
1717 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1718 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1723 /* Marshall data and send request */
1725 init_q_query_trusted_domain_info_by_name(&q, pol, info_class, domain_name);
1727 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYNAME,
1730 lsa_io_q_query_trusted_domain_info_by_name,
1731 lsa_io_r_query_trusted_domain_info,
1732 NT_STATUS_UNSUCCESSFUL);
1736 if (!NT_STATUS_IS_OK(result)) {
1747 NTSTATUS cli_lsa_query_domain_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1749 uint16 info_class, LSA_DOM_INFO_UNION **info)
1751 prs_struct qbuf, rbuf;
1752 LSA_Q_QUERY_DOM_INFO_POLICY q;
1753 LSA_R_QUERY_DOM_INFO_POLICY r;
1754 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1759 /* Marshall data and send request */
1761 init_q_query_dom_info(&q, pol, info_class);
1763 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYDOMINFOPOL,
1766 lsa_io_q_query_dom_info,
1767 lsa_io_r_query_dom_info,
1768 NT_STATUS_UNSUCCESSFUL);
1772 if (!NT_STATUS_IS_OK(result)) {