3 * Unix SMB/CIFS implementation.
4 * MS-RPC client library implementation (LSA pipe)
5 * Copyright (C) Chris Nicholls 2005.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 #include "libsmb_internal.h"
25 int cac_LsaOpenPolicy( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
26 struct LsaOpenPolicy *op )
29 POLICY_HND *policy = NULL;
30 struct rpc_pipe_client *pipe_hnd = NULL;
35 if ( !hnd->_internal.ctx ) {
36 hnd->status = NT_STATUS_INVALID_HANDLE;
40 if ( !mem_ctx || !op ) {
41 hnd->status = NT_STATUS_INVALID_PARAMETER;
47 srv = cac_GetServer( hnd );
49 hnd->status = NT_STATUS_INVALID_CONNECTION;
53 /*see if there is already an active session on this pipe, if not then open one */
54 if ( !hnd->_internal.pipes[PI_LSARPC] ) {
56 cli_rpc_pipe_open_noauth( srv->cli, PI_LSARPC,
60 hnd->status = NT_STATUS_UNSUCCESSFUL;
64 hnd->_internal.pipes[PI_LSARPC] = True;
67 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
69 hnd->status = NT_STATUS_INVALID_HANDLE;
73 policy = TALLOC_P( mem_ctx, POLICY_HND );
76 hnd->status = NT_STATUS_NO_MEMORY;
80 /*need to make sure that our nt status is good otherwise check might fail below */
81 hnd->status = NT_STATUS_OK;
83 if ( hnd->_internal.srv_level >= SRV_WIN_2K ) {
85 /*try using open_policy2, if this fails try again in next block using open_policy, if that works then adjust hnd->_internal.srv_level */
87 /*we shouldn't need to modify the access mask to make it work here */
89 rpccli_lsa_open_policy2( pipe_hnd, mem_ctx,
91 op->in.access, policy );
95 if ( hnd->_internal.srv_level < SRV_WIN_2K
96 || !NT_STATUS_IS_OK( hnd->status ) ) {
98 rpccli_lsa_open_policy( pipe_hnd, mem_ctx,
100 op->in.access, policy );
102 if ( hnd->_internal.srv_level > SRV_WIN_NT4
103 && NT_STATUS_IS_OK( hnd->status ) ) {
104 /*change the server level to 1 */
105 hnd->_internal.srv_level = SRV_WIN_NT4;
110 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
114 op->out.pol = policy;
119 int cac_LsaClosePolicy( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
123 struct rpc_pipe_client *pipe_hnd = NULL;
129 return CAC_SUCCESS; /*if the policy handle doesnt exist then it's already closed */
131 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
132 hnd->status = NT_STATUS_INVALID_HANDLE;
136 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
138 hnd->status = NT_STATUS_INVALID_HANDLE;
142 hnd->status = rpccli_lsa_Close( pipe_hnd, mem_ctx, pol );
146 if ( !NT_STATUS_IS_OK( hnd->status ) )
152 int cac_LsaGetNamesFromSids( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
153 struct LsaGetNamesFromSids *op )
155 struct rpc_pipe_client *pipe_hnd = NULL;
161 /*buffers for outputs */
162 char **domains = NULL;
164 enum lsa_SidType *types = NULL;
166 CacSidInfo *sids_out = NULL;
167 DOM_SID *unknown_out = NULL;
178 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
179 hnd->status = NT_STATUS_INVALID_HANDLE;
183 if ( !mem_ctx || !op || !op->in.pol || !op->in.sids ) {
184 hnd->status = NT_STATUS_INVALID_PARAMETER;
188 num_sids = op->in.num_sids;
190 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
192 hnd->status = NT_STATUS_INVALID_HANDLE;
198 /*now actually lookup the names */
200 rpccli_lsa_lookup_sids( pipe_hnd, mem_ctx, op->in.pol,
201 op->in.num_sids, op->in.sids,
202 &domains, &names, &types );
204 if ( NT_STATUS_IS_OK( hnd->status ) ) {
205 /*this is the easy part, just make the out.sids array */
207 sids_out = TALLOC_ARRAY( mem_ctx, CacSidInfo, num_sids );
210 hnd->status = NT_STATUS_NO_MEMORY;
217 for ( i = 0; i < num_sids; i++ ) {
218 sids_out[i].sid = op->in.sids[i];
219 sids_out[i].name = names[i];
220 sids_out[i].domain = domains[i];
223 result = CAC_SUCCESS;
224 } else if ( NT_STATUS_V( hnd->status ) ==
225 NT_STATUS_V( STATUS_SOME_UNMAPPED ) ) {
226 /*first find out how many couldn't be looked up */
228 for ( i = 0; i < num_sids; i++ ) {
229 if ( names[i] == NULL ) {
234 if ( num_unknown >= num_sids ) {
235 hnd->status = NT_STATUS_UNSUCCESSFUL;
239 if ( num_sids - num_unknown) {
241 TALLOC_ARRAY( mem_ctx, CacSidInfo,
242 ( num_sids - num_unknown ) );
245 hnd->status = NT_STATUS_NO_MEMORY;
253 unknown_out = TALLOC_ARRAY( mem_ctx, DOM_SID, num_unknown );
254 if ( !unknown_out ) {
256 hnd->status = NT_STATUS_NO_MEMORY;
262 found_idx = unknown_idx = 0;
264 /*now we can actually do the real work */
265 for ( i = 0; i < num_sids; i++ ) {
266 if ( names[i] != NULL ) {
267 sids_out[found_idx].sid = op->in.sids[i];
268 sids_out[found_idx].name = names[i];
269 sids_out[found_idx].domain = domains[i];
272 } else { /*then this one didnt work out */
273 unknown_out[unknown_idx] = op->in.sids[i];
279 result = CAC_PARTIAL_SUCCESS;
280 } else { /*then it failed for some reason */
284 op->out.num_found = num_sids - num_unknown;
285 op->out.sids = sids_out;
286 op->out.unknown = unknown_out;
292 int cac_LsaGetSidsFromNames( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
293 struct LsaGetSidsFromNames *op )
295 struct rpc_pipe_client *pipe_hnd = NULL;
300 /*buffers for outputs */
301 DOM_SID *sids = NULL;
302 enum lsa_SidType *types = NULL;
304 CacSidInfo *sids_out = NULL;
305 char **unknown_out = NULL;
316 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
317 hnd->status = NT_STATUS_INVALID_HANDLE;
321 if ( !mem_ctx || !op || !op->in.pol || !op->in.names ) {
322 hnd->status = NT_STATUS_INVALID_PARAMETER;
326 num_names = op->in.num_names;
328 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
330 hnd->status = NT_STATUS_INVALID_HANDLE;
335 /*now actually lookup the names */
337 rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, op->in.pol,
339 ( const char ** ) op->in.names, NULL,
342 if ( NT_STATUS_IS_OK( hnd->status ) ) {
343 /*this is the easy part, just make the out.sids array */
345 sids_out = TALLOC_ARRAY( mem_ctx, CacSidInfo, num_names );
348 hnd->status = NT_STATUS_NO_MEMORY;
355 for ( i = 0; i < num_names; i++ ) {
356 sids_out[i].sid = sids[i];
358 talloc_strdup( mem_ctx, op->in.names[i] );
359 sids_out[i].domain = NULL;
362 result = CAC_SUCCESS;
363 } else if ( NT_STATUS_V( hnd->status ) ==
364 NT_STATUS_V( STATUS_SOME_UNMAPPED ) ) {
365 /*first find out how many couldn't be looked up */
367 for ( i = 0; i < num_names; i++ ) {
368 if ( types[i] == SID_NAME_UNKNOWN ) {
373 if ( num_unknown >= num_names ) {
374 hnd->status = NT_STATUS_UNSUCCESSFUL;
378 if (num_names - num_unknown) {
380 TALLOC_ARRAY( mem_ctx, CacSidInfo,
381 ( num_names - num_unknown ) );
384 hnd->status = NT_STATUS_NO_MEMORY;
392 unknown_out = TALLOC_ARRAY( mem_ctx, char *, num_unknown );
393 if ( !unknown_out ) {
395 hnd->status = NT_STATUS_NO_MEMORY;
402 unknown_idx = found_idx = 0;
404 /*now we can actually do the real work */
405 for ( i = 0; i < num_names; i++ ) {
406 if ( types[i] != SID_NAME_UNKNOWN ) {
407 sids_out[found_idx].sid = sids[i];
408 sids_out[found_idx].name =
409 talloc_strdup( mem_ctx,
411 sids_out[found_idx].domain = NULL;
414 } else { /*then this one didnt work out */
415 unknown_out[unknown_idx] =
416 talloc_strdup( mem_ctx,
423 result = CAC_PARTIAL_SUCCESS;
424 } else { /*then it failed for some reason */
428 op->out.num_found = num_names - num_unknown;
429 op->out.sids = sids_out;
430 op->out.unknown = unknown_out;
436 int cac_LsaFetchSid( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
437 struct LsaFetchSid *op )
439 struct rpc_pipe_client *pipe_hnd = NULL;
445 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
446 hnd->status = NT_STATUS_INVALID_HANDLE;
450 if ( !mem_ctx || !op || !op->in.pol ) {
451 hnd->status = NT_STATUS_INVALID_PARAMETER;
455 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
457 hnd->status = NT_STATUS_INVALID_HANDLE;
461 op->out.local_sid = NULL;
462 op->out.domain_sid = NULL;
464 if ( ( op->in.info_class & CAC_LOCAL_INFO ) == CAC_LOCAL_INFO ) {
465 DOM_SID *local_sid = NULL;
466 char *dom_name = NULL;
469 rpccli_lsa_query_info_policy( pipe_hnd, mem_ctx,
472 &dom_name, &local_sid );
474 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
475 result = CAC_FAILURE;
479 op->out.local_sid = talloc( mem_ctx, CacSidInfo );
480 if ( !op->out.local_sid ) {
481 hnd->status = NT_STATUS_NO_MEMORY;
482 result = CAC_FAILURE;
486 op->out.local_sid->domain = dom_name;
488 sid_copy( &op->out.local_sid->sid, local_sid );
489 TALLOC_FREE( local_sid );
494 if ( ( op->in.info_class & CAC_DOMAIN_INFO ) == CAC_DOMAIN_INFO ) {
499 rpccli_lsa_query_info_policy( pipe_hnd, mem_ctx,
504 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
505 /*if we succeeded above, report partial success */
506 result = CAC_FAILURE;
508 } else if ( result == CAC_FAILURE ) {
509 /*if we failed above but succeded here then report partial success */
510 result = CAC_PARTIAL_SUCCESS;
513 op->out.domain_sid = talloc( mem_ctx, CacSidInfo );
514 if ( !op->out.domain_sid ) {
515 hnd->status = NT_STATUS_NO_MEMORY;
516 result = CAC_FAILURE;
520 op->out.domain_sid->domain = dom_name;
521 sid_copy( &op->out.domain_sid->sid, domain_sid );
522 TALLOC_FREE( domain_sid );
529 int cac_LsaQueryInfoPolicy( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
530 struct LsaQueryInfoPolicy *op )
532 struct rpc_pipe_client *pipe_hnd = NULL;
534 char *domain_name = NULL;
535 char *dns_name = NULL;
536 char *forest_name = NULL;
537 struct GUID *domain_guid = NULL;
538 DOM_SID *domain_sid = NULL;
543 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
544 hnd->status = NT_STATUS_INVALID_HANDLE;
548 if ( !op || !op->in.pol ) {
549 hnd->status = NT_STATUS_INVALID_PARAMETER;
553 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
555 hnd->status = NT_STATUS_INVALID_HANDLE;
559 /*only works if info_class parm is 12 */
561 rpccli_lsa_query_info_policy2( pipe_hnd, mem_ctx, op->in.pol,
562 12, &domain_name, &dns_name,
563 &forest_name, &domain_guid,
566 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
570 op->out.domain_name = domain_name;
571 op->out.dns_name = dns_name;
572 op->out.forest_name = forest_name;
573 op->out.domain_guid = domain_guid;
574 op->out.domain_sid = domain_sid;
579 int cac_LsaEnumSids( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
580 struct LsaEnumSids *op )
582 struct rpc_pipe_client *pipe_hnd = NULL;
590 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
591 hnd->status = NT_STATUS_INVALID_HANDLE;
595 if ( !op || !op->in.pol ) {
596 hnd->status = NT_STATUS_INVALID_PARAMETER;
600 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
602 hnd->status = NT_STATUS_INVALID_HANDLE;
607 rpccli_lsa_enum_sids( pipe_hnd, mem_ctx, op->in.pol,
608 &( op->out.resume_idx ),
609 op->in.pref_max_sids, &num_sids,
612 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
616 op->out.num_sids = num_sids;
623 int cac_LsaEnumAccountRights( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
624 struct LsaEnumAccountRights *op )
626 struct rpc_pipe_client *pipe_hnd = NULL;
634 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
635 hnd->status = NT_STATUS_INVALID_HANDLE;
640 hnd->status = NT_STATUS_INVALID_PARAMETER;
644 if ( !op->in.name && !op->in.sid ) {
645 hnd->status = NT_STATUS_INVALID_PARAMETER;
649 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
651 hnd->status = NT_STATUS_INVALID_HANDLE;
655 if ( op->in.name && !op->in.sid ) {
656 DOM_SID *user_sid = NULL;
657 enum lsa_SidType *type;
661 rpccli_lsa_lookup_names( pipe_hnd, mem_ctx,
663 ( const char ** ) &( op->in.
665 NULL, 1, &user_sid, &type );
667 if ( !NT_STATUS_IS_OK( hnd->status ) )
670 op->in.sid = user_sid;
674 rpccli_lsa_enum_account_rights( pipe_hnd, mem_ctx, op->in.pol,
675 op->in.sid, &count, &privs );
677 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
681 op->out.num_privs = count;
682 op->out.priv_names = privs;
687 int cac_LsaEnumTrustedDomains( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
688 struct LsaEnumTrustedDomains *op )
690 struct rpc_pipe_client *pipe_hnd;
694 DOM_SID *domain_sids;
699 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
700 hnd->status = NT_STATUS_INVALID_HANDLE;
705 hnd->status = NT_STATUS_INVALID_PARAMETER;
709 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
711 hnd->status = NT_STATUS_INVALID_HANDLE;
716 rpccli_lsa_enum_trust_dom( pipe_hnd, mem_ctx, op->in.pol,
717 &( op->out.resume_idx ),
718 &num_domains, &domain_names,
721 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
725 op->out.num_domains = num_domains;
726 op->out.domain_names = domain_names;
727 op->out.domain_sids = domain_sids;
732 int cac_LsaOpenTrustedDomain( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
733 struct LsaOpenTrustedDomain *op )
735 struct rpc_pipe_client *pipe_hnd = NULL;
737 POLICY_HND *dom_pol = NULL;
742 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
743 hnd->status = NT_STATUS_INVALID_HANDLE;
747 if ( !op->in.pol || !op->in.access || !op->in.domain_sid ) {
748 hnd->status = NT_STATUS_INVALID_PARAMETER;
752 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
754 hnd->status = NT_STATUS_INVALID_HANDLE;
758 dom_pol = talloc( mem_ctx, POLICY_HND );
760 hnd->status = NT_STATUS_NO_MEMORY;
766 rpccli_lsa_open_trusted_domain( pipe_hnd, mem_ctx, op->in.pol,
768 op->in.access, dom_pol );
770 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
774 op->out.domain_pol = dom_pol;
779 int cac_LsaQueryTrustedDomainInfo( CacServerHandle * hnd,
780 TALLOC_CTX * mem_ctx,
781 struct LsaQueryTrustedDomainInfo *op )
783 struct rpc_pipe_client *pipe_hnd = NULL;
785 LSA_TRUSTED_DOMAIN_INFO *dom_info;
790 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
791 hnd->status = NT_STATUS_INVALID_HANDLE;
795 if ( !op->in.pol || !op->in.info_class ) {
796 hnd->status = NT_STATUS_INVALID_PARAMETER;
800 if ( !op->in.domain_sid && !op->in.domain_name ) {
801 hnd->status = NT_STATUS_INVALID_PARAMETER;
805 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
807 hnd->status = NT_STATUS_INVALID_HANDLE;
811 if ( op->in.domain_sid ) {
813 rpccli_lsa_query_trusted_domain_info_by_sid( pipe_hnd,
822 } else if ( op->in.domain_name ) {
824 rpccli_lsa_query_trusted_domain_info_by_name
825 ( pipe_hnd, mem_ctx, op->in.pol, op->in.info_class,
826 op->in.domain_name, &dom_info );
829 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
833 op->out.info = dom_info;
839 int cac_LsaEnumPrivileges( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
840 struct LsaEnumPrivileges *op )
842 struct rpc_pipe_client *pipe_hnd = NULL;
853 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
854 hnd->status = NT_STATUS_INVALID_HANDLE;
858 if ( !op || !op->in.pol ) {
859 hnd->status = NT_STATUS_INVALID_PARAMETER;
863 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
865 hnd->status = NT_STATUS_INVALID_HANDLE;
870 rpccli_lsa_enum_privilege( pipe_hnd, mem_ctx, op->in.pol,
871 &( op->out.resume_idx ),
872 op->in.pref_max_privs, &num_privs,
873 &priv_names, &high_bits,
876 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
880 op->out.num_privs = num_privs;
881 op->out.priv_names = priv_names;
882 op->out.high_bits = high_bits;
883 op->out.low_bits = low_bits;
888 int cac_LsaOpenAccount( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
889 struct LsaOpenAccount *op )
891 struct rpc_pipe_client *pipe_hnd = NULL;
893 POLICY_HND *user_pol = NULL;
899 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
900 hnd->status = NT_STATUS_INVALID_HANDLE;
904 if ( !op || !op->in.pol ) {
905 hnd->status = NT_STATUS_INVALID_PARAMETER;
909 if ( !op->in.sid && !op->in.name ) {
910 hnd->status = NT_STATUS_INVALID_PARAMETER;
914 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
916 hnd->status = NT_STATUS_INVALID_HANDLE;
920 /*look up the user's SID if we have to */
921 if ( op->in.name && !op->in.sid ) {
922 DOM_SID *user_sid = NULL;
923 enum lsa_SidType *type;
927 rpccli_lsa_lookup_names( pipe_hnd, mem_ctx,
929 ( const char ** ) &( op->in.
931 NULL, 1, &user_sid, &type );
933 if ( !NT_STATUS_IS_OK( hnd->status ) )
936 op->in.sid = user_sid;
939 user_pol = talloc( mem_ctx, POLICY_HND );
941 hnd->status = NT_STATUS_NO_MEMORY;
946 rpccli_lsa_open_account( pipe_hnd, mem_ctx, op->in.pol,
947 op->in.sid, op->in.access,
950 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
951 TALLOC_FREE( user_pol );
955 op->out.user = user_pol;
961 int cac_LsaAddPrivileges( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
962 struct LsaAddPrivileges *op )
964 struct rpc_pipe_client *pipe_hnd = NULL;
966 DOM_SID *user_sid = NULL;
967 enum lsa_SidType *type = NULL;
973 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
974 hnd->status = NT_STATUS_INVALID_HANDLE;
978 if ( !op || !op->in.pol || !op->in.priv_names ) {
979 hnd->status = NT_STATUS_INVALID_PARAMETER;
983 if ( !op->in.sid && !op->in.name ) {
984 hnd->status = NT_STATUS_INVALID_PARAMETER;
988 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
990 hnd->status = NT_STATUS_INVALID_HANDLE;
994 if ( op->in.name && !op->in.sid ) {
997 rpccli_lsa_lookup_names( pipe_hnd, mem_ctx,
999 ( const char ** ) &( op->in.
1001 NULL, 1, &user_sid, &type );
1003 if ( !NT_STATUS_IS_OK( hnd->status ) )
1006 op->in.sid = user_sid;
1010 rpccli_lsa_add_account_rights( pipe_hnd, mem_ctx, op->in.pol,
1013 ( const char ** ) op->in.
1016 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
1023 int cac_LsaRemovePrivileges( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
1024 struct LsaRemovePrivileges *op )
1026 struct rpc_pipe_client *pipe_hnd = NULL;
1028 DOM_SID *user_sid = NULL;
1029 enum lsa_SidType *type = NULL;
1035 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
1036 hnd->status = NT_STATUS_INVALID_HANDLE;
1040 if ( !op || !op->in.pol || !op->in.priv_names ) {
1041 hnd->status = NT_STATUS_INVALID_PARAMETER;
1045 if ( !op->in.sid && !op->in.name ) {
1046 hnd->status = NT_STATUS_INVALID_PARAMETER;
1050 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
1052 hnd->status = NT_STATUS_INVALID_HANDLE;
1056 if ( op->in.name && !op->in.sid ) {
1059 rpccli_lsa_lookup_names( pipe_hnd, mem_ctx,
1061 ( const char ** ) &( op->in.
1063 NULL, 1, &user_sid, &type );
1065 if ( !NT_STATUS_IS_OK( hnd->status ) )
1068 op->in.sid = user_sid;
1072 rpccli_lsa_remove_account_rights( pipe_hnd, mem_ctx,
1073 op->in.pol, *( op->in.sid ),
1074 False, op->in.num_privs,
1075 ( const char ** ) op->in.
1078 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
1085 int cac_LsaClearPrivileges( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
1086 struct LsaClearPrivileges *op )
1088 struct rpc_pipe_client *pipe_hnd = NULL;
1090 DOM_SID *user_sid = NULL;
1091 enum lsa_SidType *type = NULL;
1097 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
1098 hnd->status = NT_STATUS_INVALID_HANDLE;
1102 if ( !op || !op->in.pol ) {
1103 hnd->status = NT_STATUS_INVALID_PARAMETER;
1107 if ( !op->in.sid && !op->in.name ) {
1108 hnd->status = NT_STATUS_INVALID_PARAMETER;
1112 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
1114 hnd->status = NT_STATUS_INVALID_HANDLE;
1118 if ( op->in.name && !op->in.sid ) {
1121 rpccli_lsa_lookup_names( pipe_hnd, mem_ctx,
1123 ( const char ** ) &( op->in.
1125 NULL, 1, &user_sid, &type );
1127 if ( !NT_STATUS_IS_OK( hnd->status ) )
1130 op->in.sid = user_sid;
1134 rpccli_lsa_remove_account_rights( pipe_hnd, mem_ctx,
1135 op->in.pol, *( op->in.sid ),
1138 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
1145 int cac_LsaSetPrivileges( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
1146 struct LsaAddPrivileges *op )
1148 struct rpc_pipe_client *pipe_hnd = NULL;
1150 DOM_SID *user_sid = NULL;
1151 enum lsa_SidType *type = NULL;
1157 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
1158 hnd->status = NT_STATUS_INVALID_HANDLE;
1162 if ( !op || !op->in.pol || !op->in.priv_names ) {
1163 hnd->status = NT_STATUS_INVALID_PARAMETER;
1167 if ( !op->in.sid && !op->in.name ) {
1168 hnd->status = NT_STATUS_INVALID_PARAMETER;
1172 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
1177 if ( op->in.name && !op->in.sid ) {
1180 rpccli_lsa_lookup_names( pipe_hnd, mem_ctx,
1182 ( const char ** ) &( op->in.
1184 NULL, 1, &user_sid, &type );
1186 if ( !NT_STATUS_IS_OK( hnd->status ) )
1189 op->in.sid = user_sid;
1192 /*first remove all privileges */
1194 rpccli_lsa_remove_account_rights( pipe_hnd, mem_ctx,
1195 op->in.pol, *( op->in.sid ),
1198 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
1203 rpccli_lsa_add_account_rights( pipe_hnd, mem_ctx, op->in.pol,
1206 ( const char ** ) op->in.
1209 if ( !NT_STATUS_IS_OK( hnd->status ) ) {
1216 int cac_LsaGetSecurityObject( CacServerHandle * hnd, TALLOC_CTX * mem_ctx,
1217 struct LsaGetSecurityObject *op )
1219 struct rpc_pipe_client *pipe_hnd = NULL;
1221 /*this is taken from rpcclient/cmd_lsarpc.c */
1222 uint16 info_level = 4;
1224 SEC_DESC_BUF *sec_out = NULL;
1230 if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) {
1231 hnd->status = NT_STATUS_INVALID_HANDLE;
1235 if ( !op || !op->in.pol ) {
1236 hnd->status = NT_STATUS_INVALID_PARAMETER;
1240 pipe_hnd = cac_GetPipe( hnd, PI_LSARPC );
1242 hnd->status = NT_STATUS_INVALID_HANDLE;
1247 rpccli_lsa_query_secobj( pipe_hnd, mem_ctx, op->in.pol,
1248 info_level, &sec_out );
1250 if ( !NT_STATUS_IS_OK( hnd->status ) )
1253 op->out.sec = sec_out;