s3-rpcclient: add lookupnames4 command.
[ira/wip.git] / source3 / rpcclient / cmd_lsarpc.c
1 /*
2    Unix SMB/CIFS implementation.
3    RPC pipe client
4
5    Copyright (C) Tim Potter              2000
6    Copyright (C) Rafal Szczesniak        2002
7    Copyright (C) Guenther Deschner       2008
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "rpcclient.h"
25 #include "../libcli/auth/libcli_auth.h"
26
27 /* useful function to allow entering a name instead of a SID and
28  * looking it up automatically */
29 static NTSTATUS name_to_sid(struct rpc_pipe_client *cli, 
30                             TALLOC_CTX *mem_ctx,
31                             DOM_SID *sid, const char *name)
32 {
33         struct policy_handle pol;
34         enum lsa_SidType *sid_types;
35         NTSTATUS result;
36         DOM_SID *sids;
37
38         /* maybe its a raw SID */
39         if (strncmp(name, "S-", 2) == 0 &&
40             string_to_sid(sid, name)) {
41                 return NT_STATUS_OK;
42         }
43
44         result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
45                                      SEC_FLAG_MAXIMUM_ALLOWED,
46                                      &pol);
47         if (!NT_STATUS_IS_OK(result))
48                 goto done;
49
50         result = rpccli_lsa_lookup_names(cli, mem_ctx, &pol, 1, &name, NULL, 1, &sids, &sid_types);
51         if (!NT_STATUS_IS_OK(result))
52                 goto done;
53
54         rpccli_lsa_Close(cli, mem_ctx, &pol);
55
56         *sid = sids[0];
57
58 done:
59         return result;
60 }
61
62 static void display_query_info_1(struct lsa_AuditLogInfo *r)
63 {
64         d_printf("percent_full:\t%d\n", r->percent_full);
65         d_printf("maximum_log_size:\t%d\n", r->maximum_log_size);
66         d_printf("retention_time:\t%lld\n", (long long)r->retention_time);
67         d_printf("shutdown_in_progress:\t%d\n", r->shutdown_in_progress);
68         d_printf("time_to_shutdown:\t%lld\n", (long long)r->time_to_shutdown);
69         d_printf("next_audit_record:\t%d\n", r->next_audit_record);
70 }
71
72 static void display_query_info_2(struct lsa_AuditEventsInfo *r)
73 {
74         int i;
75         d_printf("Auditing enabled:\t%d\n", r->auditing_mode);
76         d_printf("Auditing categories:\t%d\n", r->count);
77         d_printf("Auditsettings:\n");
78         for (i=0; i<r->count; i++) {
79                 const char *val = audit_policy_str(talloc_tos(), r->settings[i]);
80                 const char *policy = audit_description_str(i);
81                 d_printf("%s:\t%s\n", policy, val);
82         }
83 }
84
85 static void display_query_info_3(struct lsa_DomainInfo *r)
86 {
87         d_printf("Domain Name: %s\n", r->name.string);
88         d_printf("Domain Sid: %s\n", sid_string_tos(r->sid));
89 }
90
91 static void display_query_info_5(struct lsa_DomainInfo *r)
92 {
93         d_printf("Domain Name: %s\n", r->name.string);
94         d_printf("Domain Sid: %s\n", sid_string_tos(r->sid));
95 }
96
97 static void display_query_info_10(struct lsa_AuditFullSetInfo *r)
98 {
99         d_printf("Shutdown on full: %d\n", r->shutdown_on_full);
100 }
101
102 static void display_query_info_11(struct lsa_AuditFullQueryInfo *r)
103 {
104         d_printf("Shutdown on full: %d\n", r->shutdown_on_full);
105         d_printf("Log is full: %d\n", r->log_is_full);
106 }
107
108 static void display_query_info_12(struct lsa_DnsDomainInfo *r)
109 {
110         d_printf("Domain NetBios Name: %s\n", r->name.string);
111         d_printf("Domain DNS Name: %s\n", r->dns_domain.string);
112         d_printf("Domain Forest Name: %s\n", r->dns_forest.string);
113         d_printf("Domain Sid: %s\n", sid_string_tos(r->sid));
114         d_printf("Domain GUID: %s\n", GUID_string(talloc_tos(),
115                                                       &r->domain_guid));
116 }
117
118 static void display_lsa_query_info(union lsa_PolicyInformation *info,
119                                    enum lsa_PolicyInfo level)
120 {
121         switch (level) {
122                 case 1:
123                         display_query_info_1(&info->audit_log);
124                         break;
125                 case 2:
126                         display_query_info_2(&info->audit_events);
127                         break;
128                 case 3:
129                         display_query_info_3(&info->domain);
130                         break;
131                 case 5:
132                         display_query_info_5(&info->account_domain);
133                         break;
134                 case 10:
135                         display_query_info_10(&info->auditfullset);
136                         break;
137                 case 11:
138                         display_query_info_11(&info->auditfullquery);
139                         break;
140                 case 12:
141                         display_query_info_12(&info->dns);
142                         break;
143                 default:
144                         printf("can't display info level: %d\n", level);
145                         break;
146         }
147 }
148
149 static NTSTATUS cmd_lsa_query_info_policy(struct rpc_pipe_client *cli, 
150                                           TALLOC_CTX *mem_ctx, int argc, 
151                                           const char **argv) 
152 {
153         struct policy_handle pol;
154         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
155         union lsa_PolicyInformation *info = NULL;
156
157         uint32 info_class = 3;
158
159         if (argc > 2) {
160                 printf("Usage: %s [info_class]\n", argv[0]);
161                 return NT_STATUS_OK;
162         }
163
164         if (argc == 2)
165                 info_class = atoi(argv[1]);
166
167         switch (info_class) {
168         case 12:
169                 result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
170                                                  SEC_FLAG_MAXIMUM_ALLOWED,
171                                                  &pol);
172
173                 if (!NT_STATUS_IS_OK(result))
174                         goto done;
175                         
176                 result = rpccli_lsa_QueryInfoPolicy2(cli, mem_ctx,
177                                                      &pol,
178                                                      info_class,
179                                                      &info);
180                 break;
181         default:
182                 result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
183                                                 SEC_FLAG_MAXIMUM_ALLOWED,
184                                                 &pol);
185
186                 if (!NT_STATUS_IS_OK(result))
187                         goto done;
188                 
189                 result = rpccli_lsa_QueryInfoPolicy(cli, mem_ctx,
190                                                     &pol,
191                                                     info_class,
192                                                     &info);
193         }
194
195         if (NT_STATUS_IS_OK(result)) {
196                 display_lsa_query_info(info, info_class);
197         }
198
199         rpccli_lsa_Close(cli, mem_ctx, &pol);
200
201  done:
202         return result;
203 }
204
205 /* Resolve a list of names to a list of sids */
206
207 static NTSTATUS cmd_lsa_lookup_names(struct rpc_pipe_client *cli, 
208                                      TALLOC_CTX *mem_ctx, int argc, 
209                                      const char **argv)
210 {
211         struct policy_handle pol;
212         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
213         DOM_SID *sids;
214         enum lsa_SidType *types;
215         int i;
216
217         if (argc == 1) {
218                 printf("Usage: %s [name1 [name2 [...]]]\n", argv[0]);
219                 return NT_STATUS_OK;
220         }
221
222         result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
223                                      SEC_FLAG_MAXIMUM_ALLOWED,
224                                      &pol);
225
226         if (!NT_STATUS_IS_OK(result))
227                 goto done;
228
229         result = rpccli_lsa_lookup_names(cli, mem_ctx, &pol, argc - 1, 
230                                       (const char**)(argv + 1), NULL, 1, &sids, &types);
231
232         if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) != 
233             NT_STATUS_V(STATUS_SOME_UNMAPPED))
234                 goto done;
235
236         result = NT_STATUS_OK;
237
238         /* Print results */
239
240         for (i = 0; i < (argc - 1); i++) {
241                 fstring sid_str;
242                 sid_to_fstring(sid_str, &sids[i]);
243                 printf("%s %s (%s: %d)\n", argv[i + 1], sid_str,
244                        sid_type_lookup(types[i]), types[i]);
245         }
246
247         rpccli_lsa_Close(cli, mem_ctx, &pol);
248
249  done:
250         return result;
251 }
252
253 /* Resolve a list of names to a list of sids */
254
255 static NTSTATUS cmd_lsa_lookup_names_level(struct rpc_pipe_client *cli, 
256                                            TALLOC_CTX *mem_ctx, int argc, 
257                                            const char **argv)
258 {
259         struct policy_handle pol;
260         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
261         DOM_SID *sids;
262         enum lsa_SidType *types;
263         int i, level;
264
265         if (argc < 3) {
266                 printf("Usage: %s [level] [name1 [name2 [...]]]\n", argv[0]);
267                 return NT_STATUS_OK;
268         }
269
270         result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
271                                      SEC_FLAG_MAXIMUM_ALLOWED,
272                                      &pol);
273
274         if (!NT_STATUS_IS_OK(result))
275                 goto done;
276
277         level = atoi(argv[1]);
278
279         result = rpccli_lsa_lookup_names(cli, mem_ctx, &pol, argc - 2, 
280                                       (const char**)(argv + 2), NULL, level, &sids, &types);
281
282         if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) != 
283             NT_STATUS_V(STATUS_SOME_UNMAPPED))
284                 goto done;
285
286         result = NT_STATUS_OK;
287
288         /* Print results */
289
290         for (i = 0; i < (argc - 2); i++) {
291                 fstring sid_str;
292                 sid_to_fstring(sid_str, &sids[i]);
293                 printf("%s %s (%s: %d)\n", argv[i + 2], sid_str,
294                        sid_type_lookup(types[i]), types[i]);
295         }
296
297         rpccli_lsa_Close(cli, mem_ctx, &pol);
298
299  done:
300         return result;
301 }
302
303 static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_client *cli,
304                                       TALLOC_CTX *mem_ctx, int argc,
305                                       const char **argv)
306 {
307         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
308
309         uint32_t num_names;
310         struct lsa_String *names;
311         struct lsa_RefDomainList *domains;
312         struct lsa_TransSidArray3 sids;
313         uint32_t count = 0;
314         int i;
315
316         if (argc == 1) {
317                 printf("Usage: %s [name1 [name2 [...]]]\n", argv[0]);
318                 return NT_STATUS_OK;
319         }
320
321         ZERO_STRUCT(sids);
322
323         num_names = argc-1;
324         names = talloc_array(mem_ctx, struct lsa_String, num_names);
325         NT_STATUS_HAVE_NO_MEMORY(names);
326
327         for (i=0; i < num_names; i++) {
328                 init_lsa_String(&names[i], argv[i+1]);
329         }
330
331         result = rpccli_lsa_LookupNames4(cli, mem_ctx,
332                                          num_names,
333                                          names,
334                                          &domains,
335                                          &sids,
336                                          1,
337                                          &count,
338                                          0,
339                                          0);
340         if (!NT_STATUS_IS_OK(result)) {
341                 return result;
342         }
343
344         for (i = 0; i < sids.count; i++) {
345                 fstring sid_str;
346                 sid_to_fstring(sid_str, sids.sids[i].sid);
347                 printf("%s %s (%s: %d)\n", argv[i+1], sid_str,
348                        sid_type_lookup(sids.sids[i].sid_type),
349                        sids.sids[i].sid_type);
350         }
351
352         return result;
353 }
354
355 /* Resolve a list of SIDs to a list of names */
356
357 static NTSTATUS cmd_lsa_lookup_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
358                                     int argc, const char **argv)
359 {
360         struct policy_handle pol;
361         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
362         DOM_SID *sids;
363         char **domains;
364         char **names;
365         enum lsa_SidType *types;
366         int i;
367
368         if (argc == 1) {
369                 printf("Usage: %s [sid1 [sid2 [...]]]\n", argv[0]);
370                 return NT_STATUS_OK;
371         }
372
373         result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
374                                      SEC_FLAG_MAXIMUM_ALLOWED,
375                                      &pol);
376
377         if (!NT_STATUS_IS_OK(result))
378                 goto done;
379
380         /* Convert arguments to sids */
381
382         sids = TALLOC_ARRAY(mem_ctx, DOM_SID, argc - 1);
383
384         if (!sids) {
385                 printf("could not allocate memory for %d sids\n", argc - 1);
386                 goto done;
387         }
388
389         for (i = 0; i < argc - 1; i++) 
390                 if (!string_to_sid(&sids[i], argv[i + 1])) {
391                         result = NT_STATUS_INVALID_SID;
392                         goto done;
393                 }
394
395         /* Lookup the SIDs */
396
397         result = rpccli_lsa_lookup_sids(cli, mem_ctx, &pol, argc - 1, sids, 
398                                      &domains, &names, &types);
399
400         if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) != 
401             NT_STATUS_V(STATUS_SOME_UNMAPPED))
402                 goto done;
403
404         result = NT_STATUS_OK;
405
406         /* Print results */
407
408         for (i = 0; i < (argc - 1); i++) {
409                 fstring sid_str;
410
411                 sid_to_fstring(sid_str, &sids[i]);
412                 printf("%s %s\\%s (%d)\n", sid_str, 
413                        domains[i] ? domains[i] : "*unknown*", 
414                        names[i] ? names[i] : "*unknown*", types[i]);
415         }
416
417         rpccli_lsa_Close(cli, mem_ctx, &pol);
418
419  done:
420         return result;
421 }
422
423 /* Enumerate list of trusted domains */
424
425 static NTSTATUS cmd_lsa_enum_trust_dom(struct rpc_pipe_client *cli, 
426                                        TALLOC_CTX *mem_ctx, int argc, 
427                                        const char **argv)
428 {
429         struct policy_handle pol;
430         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
431         struct lsa_DomainList domain_list;
432
433         /* defaults, but may be changed using params */
434         uint32 enum_ctx = 0;
435         int i;
436         uint32_t max_size = (uint32_t)-1;
437
438         if (argc > 2) {
439                 printf("Usage: %s [enum context (0)]\n", argv[0]);
440                 return NT_STATUS_OK;
441         }
442
443         if (argc == 2 && argv[1]) {
444                 enum_ctx = atoi(argv[2]);
445         }       
446
447         result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
448                                      LSA_POLICY_VIEW_LOCAL_INFORMATION,
449                                      &pol);
450
451         if (!NT_STATUS_IS_OK(result))
452                 goto done;
453
454         result = STATUS_MORE_ENTRIES;
455
456         while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
457
458                 /* Lookup list of trusted domains */
459
460                 result = rpccli_lsa_EnumTrustDom(cli, mem_ctx,
461                                                  &pol,
462                                                  &enum_ctx,
463                                                  &domain_list,
464                                                  max_size);
465                 if (!NT_STATUS_IS_OK(result) &&
466                     !NT_STATUS_EQUAL(result, NT_STATUS_NO_MORE_ENTRIES) &&
467                     !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
468                         goto done;
469
470                 /* Print results: list of names and sids returned in this
471                  * response. */  
472                 for (i = 0; i < domain_list.count; i++) {
473                         fstring sid_str;
474
475                         sid_to_fstring(sid_str, domain_list.domains[i].sid);
476                         printf("%s %s\n",
477                                 domain_list.domains[i].name.string ?
478                                 domain_list.domains[i].name.string : "*unknown*",
479                                 sid_str);
480                 }
481         }
482
483         rpccli_lsa_Close(cli, mem_ctx, &pol);
484  done:
485         return result;
486 }
487
488 /* Enumerates privileges */
489
490 static NTSTATUS cmd_lsa_enum_privilege(struct rpc_pipe_client *cli, 
491                                        TALLOC_CTX *mem_ctx, int argc, 
492                                        const char **argv) 
493 {
494         struct policy_handle pol;
495         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
496         struct lsa_PrivArray priv_array;
497
498         uint32 enum_context=0;
499         uint32 pref_max_length=0x1000;
500         int i;
501
502         if (argc > 3) {
503                 printf("Usage: %s [enum context] [max length]\n", argv[0]);
504                 return NT_STATUS_OK;
505         }
506
507         if (argc>=2)
508                 enum_context=atoi(argv[1]);
509
510         if (argc==3)
511                 pref_max_length=atoi(argv[2]);
512
513         result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
514                                      SEC_FLAG_MAXIMUM_ALLOWED,
515                                      &pol);
516
517         if (!NT_STATUS_IS_OK(result))
518                 goto done;
519
520         result = rpccli_lsa_EnumPrivs(cli, mem_ctx,
521                                       &pol,
522                                       &enum_context,
523                                       &priv_array,
524                                       pref_max_length);
525         if (!NT_STATUS_IS_OK(result))
526                 goto done;
527
528         /* Print results */
529         printf("found %d privileges\n\n", priv_array.count);
530
531         for (i = 0; i < priv_array.count; i++) {
532                 printf("%s \t\t%d:%d (0x%x:0x%x)\n",
533                        priv_array.privs[i].name.string ? priv_array.privs[i].name.string : "*unknown*",
534                        priv_array.privs[i].luid.high,
535                        priv_array.privs[i].luid.low,
536                        priv_array.privs[i].luid.high,
537                        priv_array.privs[i].luid.low);
538         }
539
540         rpccli_lsa_Close(cli, mem_ctx, &pol);
541  done:
542         return result;
543 }
544
545 /* Get privilege name */
546
547 static NTSTATUS cmd_lsa_get_dispname(struct rpc_pipe_client *cli, 
548                                      TALLOC_CTX *mem_ctx, int argc, 
549                                      const char **argv) 
550 {
551         struct policy_handle pol;
552         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
553
554         uint16 lang_id=0;
555         uint16 lang_id_sys=0;
556         uint16 lang_id_desc;
557         struct lsa_String lsa_name;
558         struct lsa_StringLarge *description = NULL;
559
560         if (argc != 2) {
561                 printf("Usage: %s privilege name\n", argv[0]);
562                 return NT_STATUS_OK;
563         }
564
565         result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
566                                      SEC_FLAG_MAXIMUM_ALLOWED,
567                                      &pol);
568
569         if (!NT_STATUS_IS_OK(result))
570                 goto done;
571
572         init_lsa_String(&lsa_name, argv[1]);
573
574         result = rpccli_lsa_LookupPrivDisplayName(cli, mem_ctx,
575                                                   &pol,
576                                                   &lsa_name,
577                                                   lang_id,
578                                                   lang_id_sys,
579                                                   &description,
580                                                   &lang_id_desc);
581
582         if (!NT_STATUS_IS_OK(result))
583                 goto done;
584
585         /* Print results */
586         printf("%s -> %s (language: 0x%x)\n", argv[1], description->string, lang_id_desc);
587
588         rpccli_lsa_Close(cli, mem_ctx, &pol);
589  done:
590         return result;
591 }
592
593 /* Enumerate the LSA SIDS */
594
595 static NTSTATUS cmd_lsa_enum_sids(struct rpc_pipe_client *cli, 
596                                   TALLOC_CTX *mem_ctx, int argc, 
597                                   const char **argv) 
598 {
599         struct policy_handle pol;
600         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
601
602         uint32 enum_context=0;
603         uint32 pref_max_length=0x1000;
604         struct lsa_SidArray sid_array;
605         int i;
606
607         if (argc > 3) {
608                 printf("Usage: %s [enum context] [max length]\n", argv[0]);
609                 return NT_STATUS_OK;
610         }
611
612         if (argc>=2)
613                 enum_context=atoi(argv[1]);
614
615         if (argc==3)
616                 pref_max_length=atoi(argv[2]);
617
618         result = rpccli_lsa_open_policy(cli, mem_ctx, True, 
619                                      SEC_FLAG_MAXIMUM_ALLOWED,
620                                      &pol);
621
622         if (!NT_STATUS_IS_OK(result))
623                 goto done;
624
625         result = rpccli_lsa_EnumAccounts(cli, mem_ctx,
626                                          &pol,
627                                          &enum_context,
628                                          &sid_array,
629                                          pref_max_length);
630
631         if (!NT_STATUS_IS_OK(result))
632                 goto done;
633
634         /* Print results */
635         printf("found %d SIDs\n\n", sid_array.num_sids);
636
637         for (i = 0; i < sid_array.num_sids; i++) {
638                 fstring sid_str;
639
640                 sid_to_fstring(sid_str, sid_array.sids[i].sid);
641                 printf("%s\n", sid_str);
642         }
643
644         rpccli_lsa_Close(cli, mem_ctx, &pol);
645  done:
646         return result;
647 }
648
649 /* Create a new account */
650
651 static NTSTATUS cmd_lsa_create_account(struct rpc_pipe_client *cli, 
652                                            TALLOC_CTX *mem_ctx, int argc, 
653                                            const char **argv) 
654 {
655         struct policy_handle dom_pol;
656         struct policy_handle user_pol;
657         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
658         uint32 des_access = 0x000f000f;
659         
660         DOM_SID sid;
661
662         if (argc != 2 ) {
663                 printf("Usage: %s SID\n", argv[0]);
664                 return NT_STATUS_OK;
665         }
666
667         result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
668         if (!NT_STATUS_IS_OK(result))
669                 goto done;      
670
671         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
672                                      SEC_FLAG_MAXIMUM_ALLOWED,
673                                      &dom_pol);
674
675         if (!NT_STATUS_IS_OK(result))
676                 goto done;
677
678         result = rpccli_lsa_CreateAccount(cli, mem_ctx,
679                                           &dom_pol,
680                                           &sid,
681                                           des_access,
682                                           &user_pol);
683
684         if (!NT_STATUS_IS_OK(result))
685                 goto done;
686
687         printf("Account for SID %s successfully created\n\n", argv[1]);
688         result = NT_STATUS_OK;
689
690         rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
691  done:
692         return result;
693 }
694
695
696 /* Enumerate the privileges of an SID */
697
698 static NTSTATUS cmd_lsa_enum_privsaccounts(struct rpc_pipe_client *cli, 
699                                            TALLOC_CTX *mem_ctx, int argc, 
700                                            const char **argv) 
701 {
702         struct policy_handle dom_pol;
703         struct policy_handle user_pol;
704         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
705         uint32 access_desired = 0x000f000f;
706         DOM_SID sid;
707         struct lsa_PrivilegeSet *privs = NULL;
708         int i;
709
710         if (argc != 2 ) {
711                 printf("Usage: %s SID\n", argv[0]);
712                 return NT_STATUS_OK;
713         }
714
715         result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
716         if (!NT_STATUS_IS_OK(result))
717                 goto done;      
718
719         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
720                                      SEC_FLAG_MAXIMUM_ALLOWED,
721                                      &dom_pol);
722
723         if (!NT_STATUS_IS_OK(result))
724                 goto done;
725
726         result = rpccli_lsa_OpenAccount(cli, mem_ctx,
727                                         &dom_pol,
728                                         &sid,
729                                         access_desired,
730                                         &user_pol);
731
732         if (!NT_STATUS_IS_OK(result))
733                 goto done;
734
735         result = rpccli_lsa_EnumPrivsAccount(cli, mem_ctx,
736                                              &user_pol,
737                                              &privs);
738
739         if (!NT_STATUS_IS_OK(result))
740                 goto done;
741
742         /* Print results */
743         printf("found %d privileges for SID %s\n\n", privs->count, argv[1]);
744         printf("high\tlow\tattribute\n");
745
746         for (i = 0; i < privs->count; i++) {
747                 printf("%u\t%u\t%u\n",
748                         privs->set[i].luid.high,
749                         privs->set[i].luid.low,
750                         privs->set[i].attribute);
751         }
752
753         rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
754  done:
755         return result;
756 }
757
758
759 /* Enumerate the privileges of an SID via LsaEnumerateAccountRights */
760
761 static NTSTATUS cmd_lsa_enum_acct_rights(struct rpc_pipe_client *cli, 
762                                          TALLOC_CTX *mem_ctx, int argc, 
763                                          const char **argv) 
764 {
765         struct policy_handle dom_pol;
766         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
767         DOM_SID sid;
768         struct lsa_RightSet rights;
769
770         int i;
771
772         if (argc != 2 ) {
773                 printf("Usage: %s SID\n", argv[0]);
774                 return NT_STATUS_OK;
775         }
776
777         result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
778         if (!NT_STATUS_IS_OK(result))
779                 goto done;      
780
781         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
782                                      SEC_FLAG_MAXIMUM_ALLOWED,
783                                      &dom_pol);
784
785         if (!NT_STATUS_IS_OK(result))
786                 goto done;
787
788         result = rpccli_lsa_EnumAccountRights(cli, mem_ctx,
789                                               &dom_pol,
790                                               &sid,
791                                               &rights);
792
793         if (!NT_STATUS_IS_OK(result))
794                 goto done;
795
796         printf("found %d privileges for SID %s\n", rights.count,
797                sid_string_tos(&sid));
798
799         for (i = 0; i < rights.count; i++) {
800                 printf("\t%s\n", rights.names[i].string);
801         }
802
803         rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
804  done:
805         return result;
806 }
807
808
809 /* add some privileges to a SID via LsaAddAccountRights */
810
811 static NTSTATUS cmd_lsa_add_acct_rights(struct rpc_pipe_client *cli, 
812                                         TALLOC_CTX *mem_ctx, int argc, 
813                                         const char **argv) 
814 {
815         struct policy_handle dom_pol;
816         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
817         struct lsa_RightSet rights;
818         DOM_SID sid;
819         int i;
820
821         if (argc < 3 ) {
822                 printf("Usage: %s SID [rights...]\n", argv[0]);
823                 return NT_STATUS_OK;
824         }
825
826         result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
827         if (!NT_STATUS_IS_OK(result))
828                 goto done;      
829
830         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
831                                      SEC_FLAG_MAXIMUM_ALLOWED,
832                                      &dom_pol);
833
834         if (!NT_STATUS_IS_OK(result))
835                 goto done;
836
837         rights.count = argc-2;
838         rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
839                                     rights.count);
840         if (!rights.names) {
841                 return NT_STATUS_NO_MEMORY;
842         }
843
844         for (i=0; i<argc-2; i++) {
845                 init_lsa_StringLarge(&rights.names[i], argv[i+2]);
846         }
847
848         result = rpccli_lsa_AddAccountRights(cli, mem_ctx,
849                                              &dom_pol,
850                                              &sid,
851                                              &rights);
852
853         if (!NT_STATUS_IS_OK(result))
854                 goto done;
855
856         rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
857  done:
858         return result;
859 }
860
861
862 /* remove some privileges to a SID via LsaRemoveAccountRights */
863
864 static NTSTATUS cmd_lsa_remove_acct_rights(struct rpc_pipe_client *cli, 
865                                         TALLOC_CTX *mem_ctx, int argc, 
866                                         const char **argv) 
867 {
868         struct policy_handle dom_pol;
869         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
870         struct lsa_RightSet rights;
871         DOM_SID sid;
872         int i;
873
874         if (argc < 3 ) {
875                 printf("Usage: %s SID [rights...]\n", argv[0]);
876                 return NT_STATUS_OK;
877         }
878
879         result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
880         if (!NT_STATUS_IS_OK(result))
881                 goto done;      
882
883         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
884                                      SEC_FLAG_MAXIMUM_ALLOWED,
885                                      &dom_pol);
886
887         if (!NT_STATUS_IS_OK(result))
888                 goto done;
889
890         rights.count = argc-2;
891         rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
892                                     rights.count);
893         if (!rights.names) {
894                 return NT_STATUS_NO_MEMORY;
895         }
896
897         for (i=0; i<argc-2; i++) {
898                 init_lsa_StringLarge(&rights.names[i], argv[i+2]);
899         }
900
901         result = rpccli_lsa_RemoveAccountRights(cli, mem_ctx,
902                                                 &dom_pol,
903                                                 &sid,
904                                                 false,
905                                                 &rights);
906
907         if (!NT_STATUS_IS_OK(result))
908                 goto done;
909
910         rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
911
912  done:
913         return result;
914 }
915
916
917 /* Get a privilege value given its name */
918
919 static NTSTATUS cmd_lsa_lookup_priv_value(struct rpc_pipe_client *cli, 
920                                         TALLOC_CTX *mem_ctx, int argc, 
921                                         const char **argv) 
922 {
923         struct policy_handle pol;
924         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
925         struct lsa_LUID luid;
926         struct lsa_String name;
927
928         if (argc != 2 ) {
929                 printf("Usage: %s name\n", argv[0]);
930                 return NT_STATUS_OK;
931         }
932
933         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
934                                      SEC_FLAG_MAXIMUM_ALLOWED,
935                                      &pol);
936
937         if (!NT_STATUS_IS_OK(result))
938                 goto done;
939
940         init_lsa_String(&name, argv[1]);
941
942         result = rpccli_lsa_LookupPrivValue(cli, mem_ctx,
943                                             &pol,
944                                             &name,
945                                             &luid);
946
947         if (!NT_STATUS_IS_OK(result))
948                 goto done;
949
950         /* Print results */
951
952         printf("%u:%u (0x%x:0x%x)\n", luid.high, luid.low, luid.high, luid.low);
953
954         rpccli_lsa_Close(cli, mem_ctx, &pol);
955  done:
956         return result;
957 }
958
959 /* Query LSA security object */
960
961 static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli, 
962                                      TALLOC_CTX *mem_ctx, int argc, 
963                                      const char **argv) 
964 {
965         struct policy_handle pol;
966         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
967         SEC_DESC_BUF *sdb;
968         uint32 sec_info = DACL_SECURITY_INFORMATION;
969
970         if (argc < 1 || argc > 2) {
971                 printf("Usage: %s [sec_info]\n", argv[0]);
972                 return NT_STATUS_OK;
973         }
974
975         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, 
976                                       SEC_FLAG_MAXIMUM_ALLOWED,
977                                       &pol);
978
979         if (argc == 2) 
980                 sscanf(argv[1], "%x", &sec_info);
981
982         if (!NT_STATUS_IS_OK(result))
983                 goto done;
984
985         result = rpccli_lsa_QuerySecurity(cli, mem_ctx,
986                                           &pol,
987                                           sec_info,
988                                           &sdb);
989         if (!NT_STATUS_IS_OK(result))
990                 goto done;
991
992         /* Print results */
993
994         display_sec_desc(sdb->sd);
995
996         rpccli_lsa_Close(cli, mem_ctx, &pol);
997  done:
998         return result;
999 }
1000
1001 static void display_trust_dom_info_4(struct lsa_TrustDomainInfoPassword *p,
1002                                      uint8_t session_key[16])
1003 {
1004         char *pwd, *pwd_old;
1005         
1006         DATA_BLOB data     = data_blob_const(p->password->data, p->password->length);
1007         DATA_BLOB data_old = data_blob_const(p->old_password->data, p->old_password->length);
1008         DATA_BLOB session_key_blob = data_blob_const(session_key, sizeof(session_key));
1009
1010         pwd     = sess_decrypt_string(talloc_tos(), &data, &session_key_blob);
1011         pwd_old = sess_decrypt_string(talloc_tos(), &data_old, &session_key_blob);
1012         
1013         d_printf("Password:\t%s\n", pwd);
1014         d_printf("Old Password:\t%s\n", pwd_old);
1015
1016         talloc_free(pwd);
1017         talloc_free(pwd_old);
1018 }
1019
1020 static void display_trust_dom_info(TALLOC_CTX *mem_ctx,
1021                                    union lsa_TrustedDomainInfo *info,
1022                                    enum lsa_TrustDomInfoEnum info_class,
1023                                    uint8_t nt_hash[16])
1024 {
1025         switch (info_class) {
1026                 case LSA_TRUSTED_DOMAIN_INFO_PASSWORD:
1027                         display_trust_dom_info_4(&info->password, nt_hash);
1028                         break;
1029                 default: {
1030                         const char *str = NULL;
1031                         str = NDR_PRINT_UNION_STRING(mem_ctx,
1032                                                      lsa_TrustedDomainInfo,
1033                                                      info_class, info);
1034                         if (str) {
1035                                 d_printf("%s\n", str);
1036                         }
1037                         break;
1038                 }
1039         }
1040 }
1041
1042 static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli,
1043                                                 TALLOC_CTX *mem_ctx, int argc, 
1044                                                 const char **argv) 
1045 {
1046         struct policy_handle pol;
1047         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1048         DOM_SID dom_sid;
1049         uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1050         union lsa_TrustedDomainInfo *info = NULL;
1051         enum lsa_TrustDomInfoEnum info_class = 1;
1052         uint8_t nt_hash[16];
1053
1054         if (argc > 3 || argc < 2) {
1055                 printf("Usage: %s [sid] [info_class]\n", argv[0]);
1056                 return NT_STATUS_OK;
1057         }
1058
1059         if (!string_to_sid(&dom_sid, argv[1]))
1060                 return NT_STATUS_NO_MEMORY;
1061
1062         if (argc == 3)
1063                 info_class = atoi(argv[2]);
1064
1065         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, access_mask, &pol);
1066
1067         if (!NT_STATUS_IS_OK(result))
1068                 goto done;
1069
1070         result = rpccli_lsa_QueryTrustedDomainInfoBySid(cli, mem_ctx,
1071                                                         &pol,
1072                                                         &dom_sid,
1073                                                         info_class,
1074                                                         &info);
1075         if (!NT_STATUS_IS_OK(result))
1076                 goto done;
1077
1078         if (!rpccli_get_pwd_hash(cli, nt_hash)) {
1079                 d_fprintf(stderr, "Could not get pwd hash\n");
1080                 goto done;
1081         }
1082
1083         display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
1084
1085  done:
1086         rpccli_lsa_Close(cli, mem_ctx, &pol);
1087
1088         return result;
1089 }
1090
1091 static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli,
1092                                                  TALLOC_CTX *mem_ctx, int argc,
1093                                                  const char **argv) 
1094 {
1095         struct policy_handle pol;
1096         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1097         uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1098         union lsa_TrustedDomainInfo *info = NULL;
1099         enum lsa_TrustDomInfoEnum info_class = 1;
1100         struct lsa_String trusted_domain;
1101         uint8_t nt_hash[16];
1102
1103         if (argc > 3 || argc < 2) {
1104                 printf("Usage: %s [name] [info_class]\n", argv[0]);
1105                 return NT_STATUS_OK;
1106         }
1107
1108         if (argc == 3)
1109                 info_class = atoi(argv[2]);
1110
1111         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, access_mask, &pol);
1112
1113         if (!NT_STATUS_IS_OK(result))
1114                 goto done;
1115
1116         init_lsa_String(&trusted_domain, argv[1]);
1117
1118         result = rpccli_lsa_QueryTrustedDomainInfoByName(cli, mem_ctx,
1119                                                          &pol,
1120                                                          &trusted_domain,
1121                                                          info_class,
1122                                                          &info);
1123         if (!NT_STATUS_IS_OK(result))
1124                 goto done;
1125
1126         if (!rpccli_get_pwd_hash(cli, nt_hash)) {
1127                 d_fprintf(stderr, "Could not get pwd hash\n");
1128                 goto done;
1129         }
1130
1131         display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
1132
1133  done:
1134         rpccli_lsa_Close(cli, mem_ctx, &pol);
1135
1136         return result;
1137 }
1138
1139 static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli,
1140                                            TALLOC_CTX *mem_ctx, int argc,
1141                                            const char **argv) 
1142 {
1143         struct policy_handle pol, trustdom_pol;
1144         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1145         uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
1146         union lsa_TrustedDomainInfo *info = NULL;
1147         DOM_SID dom_sid;
1148         enum lsa_TrustDomInfoEnum info_class = 1;
1149         uint8_t nt_hash[16];
1150
1151         if (argc > 3 || argc < 2) {
1152                 printf("Usage: %s [sid] [info_class]\n", argv[0]);
1153                 return NT_STATUS_OK;
1154         }
1155
1156         if (!string_to_sid(&dom_sid, argv[1]))
1157                 return NT_STATUS_NO_MEMORY;
1158
1159
1160         if (argc == 3)
1161                 info_class = atoi(argv[2]);
1162
1163         result = rpccli_lsa_open_policy2(cli, mem_ctx, True, access_mask, &pol);
1164
1165         if (!NT_STATUS_IS_OK(result))
1166                 goto done;
1167
1168         result = rpccli_lsa_OpenTrustedDomain(cli, mem_ctx,
1169                                               &pol,
1170                                               &dom_sid,
1171                                               access_mask,
1172                                               &trustdom_pol);
1173
1174         if (!NT_STATUS_IS_OK(result))
1175                 goto done;
1176
1177         result = rpccli_lsa_QueryTrustedDomainInfo(cli, mem_ctx,
1178                                                    &trustdom_pol,
1179                                                    info_class,
1180                                                    &info);
1181
1182         if (!NT_STATUS_IS_OK(result))
1183                 goto done;
1184
1185         if (!rpccli_get_pwd_hash(cli, nt_hash)) {
1186                 d_fprintf(stderr, "Could not get pwd hash\n");
1187                 goto done;
1188         }
1189
1190         display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
1191
1192  done:
1193         rpccli_lsa_Close(cli, mem_ctx, &pol);
1194
1195         return result;
1196 }
1197
1198 static NTSTATUS cmd_lsa_get_username(struct rpc_pipe_client *cli,
1199                                      TALLOC_CTX *mem_ctx, int argc,
1200                                      const char **argv)
1201 {
1202         struct policy_handle pol;
1203         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1204         const char *servername = cli->desthost;
1205         struct lsa_String *account_name = NULL;
1206         struct lsa_String *authority_name = NULL;
1207
1208         if (argc > 2) {
1209                 printf("Usage: %s servername\n", argv[0]);
1210                 return NT_STATUS_OK;
1211         }
1212
1213         result = rpccli_lsa_open_policy(cli, mem_ctx, true,
1214                                         SEC_FLAG_MAXIMUM_ALLOWED,
1215                                         &pol);
1216
1217         if (!NT_STATUS_IS_OK(result)) {
1218                 goto done;
1219         }
1220
1221         result = rpccli_lsa_GetUserName(cli, mem_ctx,
1222                                         servername,
1223                                         &account_name,
1224                                         &authority_name);
1225         if (!NT_STATUS_IS_OK(result)) {
1226                 goto done;
1227         }
1228
1229         /* Print results */
1230
1231         printf("Account Name: %s, Authority Name: %s\n",
1232                 account_name->string, authority_name ? authority_name->string :
1233                 "");
1234
1235         rpccli_lsa_Close(cli, mem_ctx, &pol);
1236  done:
1237         return result;
1238 }
1239
1240 static NTSTATUS cmd_lsa_add_priv(struct rpc_pipe_client *cli,
1241                                  TALLOC_CTX *mem_ctx, int argc,
1242                                  const char **argv)
1243 {
1244         struct policy_handle dom_pol, user_pol;
1245         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1246         struct lsa_PrivilegeSet privs;
1247         struct lsa_LUIDAttribute *set = NULL;
1248         DOM_SID sid;
1249         int i;
1250
1251         ZERO_STRUCT(privs);
1252
1253         if (argc < 3 ) {
1254                 printf("Usage: %s SID [rights...]\n", argv[0]);
1255                 return NT_STATUS_OK;
1256         }
1257
1258         result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
1259         if (!NT_STATUS_IS_OK(result)) {
1260                 goto done;
1261         }
1262
1263         result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
1264                                          SEC_FLAG_MAXIMUM_ALLOWED,
1265                                          &dom_pol);
1266
1267         if (!NT_STATUS_IS_OK(result)) {
1268                 goto done;
1269         }
1270
1271         result = rpccli_lsa_OpenAccount(cli, mem_ctx,
1272                                         &dom_pol,
1273                                         &sid,
1274                                         SEC_FLAG_MAXIMUM_ALLOWED,
1275                                         &user_pol);
1276
1277         if (!NT_STATUS_IS_OK(result)) {
1278                 goto done;
1279         }
1280
1281         for (i=2; i<argc; i++) {
1282
1283                 struct lsa_String priv_name;
1284                 struct lsa_LUID luid;
1285
1286                 init_lsa_String(&priv_name, argv[i]);
1287
1288                 result = rpccli_lsa_LookupPrivValue(cli, mem_ctx,
1289                                                     &dom_pol,
1290                                                     &priv_name,
1291                                                     &luid);
1292                 if (!NT_STATUS_IS_OK(result)) {
1293                         continue;
1294                 }
1295
1296                 privs.count++;
1297                 set = TALLOC_REALLOC_ARRAY(mem_ctx, set,
1298                                            struct lsa_LUIDAttribute,
1299                                            privs.count);
1300                 if (!set) {
1301                         return NT_STATUS_NO_MEMORY;
1302                 }
1303
1304                 set[privs.count-1].luid = luid;
1305                 set[privs.count-1].attribute = 0;
1306         }
1307
1308         privs.set = set;
1309
1310         result = rpccli_lsa_AddPrivilegesToAccount(cli, mem_ctx,
1311                                                    &user_pol,
1312                                                    &privs);
1313
1314         if (!NT_STATUS_IS_OK(result)) {
1315                 goto done;
1316         }
1317
1318         rpccli_lsa_Close(cli, mem_ctx, &user_pol);
1319         rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
1320  done:
1321         return result;
1322 }
1323
1324 static NTSTATUS cmd_lsa_del_priv(struct rpc_pipe_client *cli,
1325                                  TALLOC_CTX *mem_ctx, int argc,
1326                                  const char **argv)
1327 {
1328         struct policy_handle dom_pol, user_pol;
1329         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1330         struct lsa_PrivilegeSet privs;
1331         struct lsa_LUIDAttribute *set = NULL;
1332         DOM_SID sid;
1333         int i;
1334
1335         ZERO_STRUCT(privs);
1336
1337         if (argc < 3 ) {
1338                 printf("Usage: %s SID [rights...]\n", argv[0]);
1339                 return NT_STATUS_OK;
1340         }
1341
1342         result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
1343         if (!NT_STATUS_IS_OK(result)) {
1344                 goto done;
1345         }
1346
1347         result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
1348                                          SEC_FLAG_MAXIMUM_ALLOWED,
1349                                          &dom_pol);
1350
1351         if (!NT_STATUS_IS_OK(result)) {
1352                 goto done;
1353         }
1354
1355         result = rpccli_lsa_OpenAccount(cli, mem_ctx,
1356                                         &dom_pol,
1357                                         &sid,
1358                                         SEC_FLAG_MAXIMUM_ALLOWED,
1359                                         &user_pol);
1360
1361         if (!NT_STATUS_IS_OK(result)) {
1362                 goto done;
1363         }
1364
1365         for (i=2; i<argc; i++) {
1366
1367                 struct lsa_String priv_name;
1368                 struct lsa_LUID luid;
1369
1370                 init_lsa_String(&priv_name, argv[i]);
1371
1372                 result = rpccli_lsa_LookupPrivValue(cli, mem_ctx,
1373                                                     &dom_pol,
1374                                                     &priv_name,
1375                                                     &luid);
1376                 if (!NT_STATUS_IS_OK(result)) {
1377                         continue;
1378                 }
1379
1380                 privs.count++;
1381                 set = TALLOC_REALLOC_ARRAY(mem_ctx, set,
1382                                            struct lsa_LUIDAttribute,
1383                                            privs.count);
1384                 if (!set) {
1385                         return NT_STATUS_NO_MEMORY;
1386                 }
1387
1388                 set[privs.count-1].luid = luid;
1389                 set[privs.count-1].attribute = 0;
1390         }
1391
1392         privs.set = set;
1393
1394
1395         result = rpccli_lsa_RemovePrivilegesFromAccount(cli, mem_ctx,
1396                                                         &user_pol,
1397                                                         false,
1398                                                         &privs);
1399
1400         if (!NT_STATUS_IS_OK(result)) {
1401                 goto done;
1402         }
1403
1404         rpccli_lsa_Close(cli, mem_ctx, &user_pol);
1405         rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
1406  done:
1407         return result;
1408 }
1409
1410 static NTSTATUS cmd_lsa_create_secret(struct rpc_pipe_client *cli,
1411                                       TALLOC_CTX *mem_ctx, int argc,
1412                                       const char **argv)
1413 {
1414         NTSTATUS status;
1415         struct policy_handle handle, sec_handle;
1416         struct lsa_String name;
1417
1418         if (argc < 2) {
1419                 printf("Usage: %s name\n", argv[0]);
1420                 return NT_STATUS_OK;
1421         }
1422
1423         status = rpccli_lsa_open_policy2(cli, mem_ctx,
1424                                          true,
1425                                          SEC_FLAG_MAXIMUM_ALLOWED,
1426                                          &handle);
1427         if (!NT_STATUS_IS_OK(status)) {
1428                 return status;
1429         }
1430
1431         init_lsa_String(&name, argv[1]);
1432
1433         status = rpccli_lsa_CreateSecret(cli, mem_ctx,
1434                                          &handle,
1435                                          name,
1436                                          SEC_FLAG_MAXIMUM_ALLOWED,
1437                                          &sec_handle);
1438         if (!NT_STATUS_IS_OK(status)) {
1439                 goto done;
1440         }
1441
1442  done:
1443         if (is_valid_policy_hnd(&sec_handle)) {
1444                 rpccli_lsa_Close(cli, mem_ctx, &sec_handle);
1445         }
1446         if (is_valid_policy_hnd(&handle)) {
1447                 rpccli_lsa_Close(cli, mem_ctx, &handle);
1448         }
1449
1450         return status;
1451 }
1452
1453 static NTSTATUS cmd_lsa_delete_secret(struct rpc_pipe_client *cli,
1454                                       TALLOC_CTX *mem_ctx, int argc,
1455                                       const char **argv)
1456 {
1457         NTSTATUS status;
1458         struct policy_handle handle, sec_handle;
1459         struct lsa_String name;
1460
1461         if (argc < 2) {
1462                 printf("Usage: %s name\n", argv[0]);
1463                 return NT_STATUS_OK;
1464         }
1465
1466         status = rpccli_lsa_open_policy2(cli, mem_ctx,
1467                                          true,
1468                                          SEC_FLAG_MAXIMUM_ALLOWED,
1469                                          &handle);
1470         if (!NT_STATUS_IS_OK(status)) {
1471                 return status;
1472         }
1473
1474         init_lsa_String(&name, argv[1]);
1475
1476         status = rpccli_lsa_OpenSecret(cli, mem_ctx,
1477                                        &handle,
1478                                        name,
1479                                        SEC_FLAG_MAXIMUM_ALLOWED,
1480                                        &sec_handle);
1481         if (!NT_STATUS_IS_OK(status)) {
1482                 goto done;
1483         }
1484
1485         status = rpccli_lsa_DeleteObject(cli, mem_ctx,
1486                                          &sec_handle);
1487         if (!NT_STATUS_IS_OK(status)) {
1488                 goto done;
1489         }
1490
1491  done:
1492         if (is_valid_policy_hnd(&sec_handle)) {
1493                 rpccli_lsa_Close(cli, mem_ctx, &sec_handle);
1494         }
1495         if (is_valid_policy_hnd(&handle)) {
1496                 rpccli_lsa_Close(cli, mem_ctx, &handle);
1497         }
1498
1499         return status;
1500 }
1501
1502 static NTSTATUS cmd_lsa_query_secret(struct rpc_pipe_client *cli,
1503                                      TALLOC_CTX *mem_ctx, int argc,
1504                                      const char **argv)
1505 {
1506         NTSTATUS status;
1507         struct policy_handle handle, sec_handle;
1508         struct lsa_String name;
1509         struct lsa_DATA_BUF_PTR new_val;
1510         NTTIME new_mtime = 0;
1511         struct lsa_DATA_BUF_PTR old_val;
1512         NTTIME old_mtime = 0;
1513         DATA_BLOB session_key;
1514         DATA_BLOB new_blob = data_blob_null;
1515         DATA_BLOB old_blob = data_blob_null;
1516         char *new_secret, *old_secret;
1517
1518         if (argc < 2) {
1519                 printf("Usage: %s name\n", argv[0]);
1520                 return NT_STATUS_OK;
1521         }
1522
1523         status = rpccli_lsa_open_policy2(cli, mem_ctx,
1524                                          true,
1525                                          SEC_FLAG_MAXIMUM_ALLOWED,
1526                                          &handle);
1527         if (!NT_STATUS_IS_OK(status)) {
1528                 return status;
1529         }
1530
1531         init_lsa_String(&name, argv[1]);
1532
1533         status = rpccli_lsa_OpenSecret(cli, mem_ctx,
1534                                        &handle,
1535                                        name,
1536                                        SEC_FLAG_MAXIMUM_ALLOWED,
1537                                        &sec_handle);
1538         if (!NT_STATUS_IS_OK(status)) {
1539                 goto done;
1540         }
1541
1542         ZERO_STRUCT(new_val);
1543         ZERO_STRUCT(old_val);
1544
1545         status = rpccli_lsa_QuerySecret(cli, mem_ctx,
1546                                         &sec_handle,
1547                                         &new_val,
1548                                         &new_mtime,
1549                                         &old_val,
1550                                         &old_mtime);
1551         if (!NT_STATUS_IS_OK(status)) {
1552                 goto done;
1553         }
1554
1555         status = cli_get_session_key(mem_ctx, cli, &session_key);
1556         if (!NT_STATUS_IS_OK(status)) {
1557                 goto done;
1558         }
1559
1560         if (new_val.buf) {
1561                 new_blob = data_blob_const(new_val.buf->data, new_val.buf->length);
1562         }
1563         if (old_val.buf) {
1564                 old_blob = data_blob_const(old_val.buf->data, old_val.buf->length);
1565         }
1566
1567         new_secret = sess_decrypt_string(mem_ctx, &new_blob, &session_key);
1568         old_secret = sess_decrypt_string(mem_ctx, &old_blob, &session_key);
1569         if (new_secret) {
1570                 d_printf("new secret: %s\n", new_secret);
1571         }
1572         if (old_secret) {
1573                 d_printf("old secret: %s\n", old_secret);
1574         }
1575
1576  done:
1577         if (is_valid_policy_hnd(&sec_handle)) {
1578                 rpccli_lsa_Close(cli, mem_ctx, &sec_handle);
1579         }
1580         if (is_valid_policy_hnd(&handle)) {
1581                 rpccli_lsa_Close(cli, mem_ctx, &handle);
1582         }
1583
1584         return status;
1585 }
1586
1587 static NTSTATUS cmd_lsa_set_secret(struct rpc_pipe_client *cli,
1588                                    TALLOC_CTX *mem_ctx, int argc,
1589                                    const char **argv)
1590 {
1591         NTSTATUS status;
1592         struct policy_handle handle, sec_handle;
1593         struct lsa_String name;
1594         struct lsa_DATA_BUF new_val;
1595         struct lsa_DATA_BUF old_val;
1596         DATA_BLOB enc_key;
1597         DATA_BLOB session_key;
1598
1599         if (argc < 3) {
1600                 printf("Usage: %s name secret\n", argv[0]);
1601                 return NT_STATUS_OK;
1602         }
1603
1604         status = rpccli_lsa_open_policy2(cli, mem_ctx,
1605                                          true,
1606                                          SEC_FLAG_MAXIMUM_ALLOWED,
1607                                          &handle);
1608         if (!NT_STATUS_IS_OK(status)) {
1609                 return status;
1610         }
1611
1612         init_lsa_String(&name, argv[1]);
1613
1614         status = rpccli_lsa_OpenSecret(cli, mem_ctx,
1615                                        &handle,
1616                                        name,
1617                                        SEC_FLAG_MAXIMUM_ALLOWED,
1618                                        &sec_handle);
1619         if (!NT_STATUS_IS_OK(status)) {
1620                 goto done;
1621         }
1622
1623         ZERO_STRUCT(new_val);
1624         ZERO_STRUCT(old_val);
1625
1626         status = cli_get_session_key(mem_ctx, cli, &session_key);
1627         if (!NT_STATUS_IS_OK(status)) {
1628                 goto done;
1629         }
1630
1631         enc_key = sess_encrypt_string(argv[2], &session_key);
1632
1633         new_val.length = enc_key.length;
1634         new_val.size = enc_key.length;
1635         new_val.data = enc_key.data;
1636
1637         status = rpccli_lsa_SetSecret(cli, mem_ctx,
1638                                       &sec_handle,
1639                                       &new_val,
1640                                       NULL);
1641         if (!NT_STATUS_IS_OK(status)) {
1642                 goto done;
1643         }
1644
1645  done:
1646         if (is_valid_policy_hnd(&sec_handle)) {
1647                 rpccli_lsa_Close(cli, mem_ctx, &sec_handle);
1648         }
1649         if (is_valid_policy_hnd(&handle)) {
1650                 rpccli_lsa_Close(cli, mem_ctx, &handle);
1651         }
1652
1653         return status;
1654 }
1655
1656 static NTSTATUS cmd_lsa_retrieve_private_data(struct rpc_pipe_client *cli,
1657                                               TALLOC_CTX *mem_ctx, int argc,
1658                                               const char **argv)
1659 {
1660         NTSTATUS status;
1661         struct policy_handle handle;
1662         struct lsa_String name;
1663         struct lsa_DATA_BUF *val;
1664         DATA_BLOB session_key;
1665         DATA_BLOB blob;
1666         char *secret;
1667
1668         if (argc < 2) {
1669                 printf("Usage: %s name\n", argv[0]);
1670                 return NT_STATUS_OK;
1671         }
1672
1673         status = rpccli_lsa_open_policy2(cli, mem_ctx,
1674                                          true,
1675                                          SEC_FLAG_MAXIMUM_ALLOWED,
1676                                          &handle);
1677         if (!NT_STATUS_IS_OK(status)) {
1678                 return status;
1679         }
1680
1681         init_lsa_String(&name, argv[1]);
1682
1683         ZERO_STRUCT(val);
1684
1685         status = rpccli_lsa_RetrievePrivateData(cli, mem_ctx,
1686                                                 &handle,
1687                                                 &name,
1688                                                 &val);
1689         if (!NT_STATUS_IS_OK(status)) {
1690                 goto done;
1691         }
1692
1693         status = cli_get_session_key(mem_ctx, cli, &session_key);
1694         if (!NT_STATUS_IS_OK(status)) {
1695                 goto done;
1696         }
1697
1698         if (val) {
1699                 blob = data_blob_const(val->data, val->length);
1700         }
1701
1702         secret = sess_decrypt_string(mem_ctx, &blob, &session_key);
1703         if (secret) {
1704                 d_printf("secret: %s\n", secret);
1705         }
1706
1707  done:
1708         if (is_valid_policy_hnd(&handle)) {
1709                 rpccli_lsa_Close(cli, mem_ctx, &handle);
1710         }
1711
1712         return status;
1713 }
1714
1715 static NTSTATUS cmd_lsa_store_private_data(struct rpc_pipe_client *cli,
1716                                            TALLOC_CTX *mem_ctx, int argc,
1717                                            const char **argv)
1718 {
1719         NTSTATUS status;
1720         struct policy_handle handle;
1721         struct lsa_String name;
1722         struct lsa_DATA_BUF val;
1723         DATA_BLOB session_key;
1724         DATA_BLOB enc_key;
1725
1726         if (argc < 3) {
1727                 printf("Usage: %s name secret\n", argv[0]);
1728                 return NT_STATUS_OK;
1729         }
1730
1731         status = rpccli_lsa_open_policy2(cli, mem_ctx,
1732                                          true,
1733                                          SEC_FLAG_MAXIMUM_ALLOWED,
1734                                          &handle);
1735         if (!NT_STATUS_IS_OK(status)) {
1736                 return status;
1737         }
1738
1739         init_lsa_String(&name, argv[1]);
1740
1741         ZERO_STRUCT(val);
1742
1743         status = cli_get_session_key(mem_ctx, cli, &session_key);
1744         if (!NT_STATUS_IS_OK(status)) {
1745                 goto done;
1746         }
1747
1748         enc_key = sess_encrypt_string(argv[2], &session_key);
1749
1750         val.length = enc_key.length;
1751         val.size = enc_key.length;
1752         val.data = enc_key.data;
1753
1754         status = rpccli_lsa_StorePrivateData(cli, mem_ctx,
1755                                              &handle,
1756                                              &name,
1757                                              &val);
1758         if (!NT_STATUS_IS_OK(status)) {
1759                 goto done;
1760         }
1761
1762  done:
1763         if (is_valid_policy_hnd(&handle)) {
1764                 rpccli_lsa_Close(cli, mem_ctx, &handle);
1765         }
1766
1767         return status;
1768 }
1769
1770
1771 /* List of commands exported by this module */
1772
1773 struct cmd_set lsarpc_commands[] = {
1774
1775         { "LSARPC" },
1776
1777         { "lsaquery",            RPC_RTYPE_NTSTATUS, cmd_lsa_query_info_policy,  NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query info policy",                    "" },
1778         { "lookupsids",          RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_sids,        NULL, &ndr_table_lsarpc.syntax_id, NULL, "Convert SIDs to names",                "" },
1779         { "lookupnames",         RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_names,       NULL, &ndr_table_lsarpc.syntax_id, NULL, "Convert names to SIDs",                "" },
1780         { "lookupnames4",        RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_names4,      NULL, &ndr_table_lsarpc.syntax_id, NULL, "Convert names to SIDs",                "" },
1781         { "lookupnames_level",   RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_names_level, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Convert names to SIDs",                "" },
1782         { "enumtrust",           RPC_RTYPE_NTSTATUS, cmd_lsa_enum_trust_dom,     NULL, &ndr_table_lsarpc.syntax_id, NULL, "Enumerate trusted domains",            "Usage: [preferred max number] [enum context (0)]" },
1783         { "enumprivs",           RPC_RTYPE_NTSTATUS, cmd_lsa_enum_privilege,     NULL, &ndr_table_lsarpc.syntax_id, NULL, "Enumerate privileges",                 "" },
1784         { "getdispname",         RPC_RTYPE_NTSTATUS, cmd_lsa_get_dispname,       NULL, &ndr_table_lsarpc.syntax_id, NULL, "Get the privilege name",               "" },
1785         { "lsaenumsid",          RPC_RTYPE_NTSTATUS, cmd_lsa_enum_sids,          NULL, &ndr_table_lsarpc.syntax_id, NULL, "Enumerate the LSA SIDS",               "" },
1786         { "lsacreateaccount",    RPC_RTYPE_NTSTATUS, cmd_lsa_create_account,     NULL, &ndr_table_lsarpc.syntax_id, NULL, "Create a new lsa account",   "" },
1787         { "lsaenumprivsaccount", RPC_RTYPE_NTSTATUS, cmd_lsa_enum_privsaccounts, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Enumerate the privileges of an SID",   "" },
1788         { "lsaenumacctrights",   RPC_RTYPE_NTSTATUS, cmd_lsa_enum_acct_rights,   NULL, &ndr_table_lsarpc.syntax_id, NULL, "Enumerate the rights of an SID",   "" },
1789         { "lsaaddpriv",          RPC_RTYPE_NTSTATUS, cmd_lsa_add_priv,           NULL, &ndr_table_lsarpc.syntax_id, NULL, "Assign a privilege to a SID", "" },
1790         { "lsadelpriv",          RPC_RTYPE_NTSTATUS, cmd_lsa_del_priv,           NULL, &ndr_table_lsarpc.syntax_id, NULL, "Revoke a privilege from a SID", "" },
1791         { "lsaaddacctrights",    RPC_RTYPE_NTSTATUS, cmd_lsa_add_acct_rights,    NULL, &ndr_table_lsarpc.syntax_id, NULL, "Add rights to an account",   "" },
1792         { "lsaremoveacctrights", RPC_RTYPE_NTSTATUS, cmd_lsa_remove_acct_rights, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Remove rights from an account",   "" },
1793         { "lsalookupprivvalue",  RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_priv_value,  NULL, &ndr_table_lsarpc.syntax_id, NULL, "Get a privilege value given its name", "" },
1794         { "lsaquerysecobj",      RPC_RTYPE_NTSTATUS, cmd_lsa_query_secobj,       NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query LSA security object", "" },
1795         { "lsaquerytrustdominfo",RPC_RTYPE_NTSTATUS, cmd_lsa_query_trustdominfo, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query LSA trusted domains info (given a SID)", "" },
1796         { "lsaquerytrustdominfobyname",RPC_RTYPE_NTSTATUS, cmd_lsa_query_trustdominfobyname, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query LSA trusted domains info (given a name), only works for Windows > 2k", "" },
1797         { "lsaquerytrustdominfobysid",RPC_RTYPE_NTSTATUS, cmd_lsa_query_trustdominfobysid, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query LSA trusted domains info (given a SID)", "" },
1798         { "getusername",          RPC_RTYPE_NTSTATUS, cmd_lsa_get_username, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Get username", "" },
1799         { "createsecret",         RPC_RTYPE_NTSTATUS, cmd_lsa_create_secret, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Create Secret", "" },
1800         { "deletesecret",         RPC_RTYPE_NTSTATUS, cmd_lsa_delete_secret, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Delete Secret", "" },
1801         { "querysecret",          RPC_RTYPE_NTSTATUS, cmd_lsa_query_secret, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Query Secret", "" },
1802         { "setsecret",            RPC_RTYPE_NTSTATUS, cmd_lsa_set_secret, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Set Secret", "" },
1803         { "retrieveprivatedata",  RPC_RTYPE_NTSTATUS, cmd_lsa_retrieve_private_data, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Retrieve Private Data", "" },
1804         { "storeprivatedata",     RPC_RTYPE_NTSTATUS, cmd_lsa_store_private_data, NULL, &ndr_table_lsarpc.syntax_id, NULL, "Store Private Data", "" },
1805
1806         { NULL }
1807 };
1808