2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /** @defgroup lsa LSA - Local Security Architecture
35 * RPC client routines for the LSA RPC pipe. LSA means "local
36 * security authority", which is half of a password database.
39 /** Open a LSA policy handle
41 * @param cli Handle on an initialised SMB connection */
43 NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
45 BOOL sec_qos, uint32 des_access,
48 prs_struct qbuf, rbuf;
57 /* Initialise input parameters */
60 init_lsa_sec_qos(&qos, 2, 1, 0);
61 init_q_open_pol(&q, '\\', 0, des_access, &qos);
63 init_q_open_pol(&q, '\\', 0, des_access, NULL);
66 /* Marshall data and send request */
68 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY,
73 NT_STATUS_UNSUCCESSFUL );
75 /* Return output parameters */
79 if (NT_STATUS_IS_OK(result)) {
86 /** Open a LSA policy handle
88 * @param cli Handle on an initialised SMB connection
91 NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
92 TALLOC_CTX *mem_ctx, BOOL sec_qos,
93 uint32 des_access, POLICY_HND *pol)
95 prs_struct qbuf, rbuf;
100 char *srv_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", cli->cli->desthost);
106 init_lsa_sec_qos(&qos, 2, 1, 0);
107 init_q_open_pol2(&q, srv_name_slash, 0, des_access, &qos);
109 init_q_open_pol2(&q, srv_name_slash, 0, des_access, NULL);
112 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY2,
117 NT_STATUS_UNSUCCESSFUL );
119 /* Return output parameters */
123 if (NT_STATUS_IS_OK(result)) {
130 /** Lookup a list of sids */
132 NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
134 POLICY_HND *pol, int num_sids,
138 enum lsa_SidType **types)
140 prs_struct qbuf, rbuf;
144 LSA_TRANS_NAME_ENUM t_names;
145 NTSTATUS result = NT_STATUS_OK;
151 init_q_lookup_sids(mem_ctx, &q, pol, num_sids, sids, 1);
154 ZERO_STRUCT(t_names);
159 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPSIDS,
162 lsa_io_q_lookup_sids,
163 lsa_io_r_lookup_sids,
164 NT_STATUS_UNSUCCESSFUL );
166 if (!NT_STATUS_IS_OK(r.status) &&
167 NT_STATUS_V(r.status) != NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
169 /* An actual error occured */
175 /* Return output parameters */
177 if (r.mapped_count == 0) {
178 result = NT_STATUS_NONE_MAPPED;
182 if (!((*domains) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
183 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
184 result = NT_STATUS_NO_MEMORY;
188 if (!((*names) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
189 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
190 result = NT_STATUS_NO_MEMORY;
194 if (!((*types) = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_sids))) {
195 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
196 result = NT_STATUS_NO_MEMORY;
200 for (i = 0; i < num_sids; i++) {
201 fstring name, dom_name;
202 uint32 dom_idx = t_names.name[i].domain_idx;
204 /* Translate optimised name through domain index array */
206 if (dom_idx != 0xffffffff) {
208 rpcstr_pull_unistr2_fstring(
209 dom_name, &ref.ref_dom[dom_idx].uni_dom_name);
210 rpcstr_pull_unistr2_fstring(
211 name, &t_names.uni_name[i]);
213 (*names)[i] = talloc_strdup(mem_ctx, name);
214 (*domains)[i] = talloc_strdup(mem_ctx, dom_name);
215 (*types)[i] = (enum lsa_SidType)t_names.name[i].sid_name_use;
217 if (((*names)[i] == NULL) || ((*domains)[i] == NULL)) {
218 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
219 result = NT_STATUS_UNSUCCESSFUL;
225 (*domains)[i] = NULL;
226 (*types)[i] = SID_NAME_UNKNOWN;
235 /** Lookup a list of names */
237 NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
239 POLICY_HND *pol, int num_names,
241 const char ***dom_names,
243 enum lsa_SidType **types)
245 prs_struct qbuf, rbuf;
246 LSA_Q_LOOKUP_NAMES q;
247 LSA_R_LOOKUP_NAMES r;
258 init_q_lookup_names(mem_ctx, &q, pol, num_names, names);
260 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPNAMES,
263 lsa_io_q_lookup_names,
264 lsa_io_r_lookup_names,
265 NT_STATUS_UNSUCCESSFUL);
269 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
270 NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
272 /* An actual error occured */
277 /* Return output parameters */
279 if (r.mapped_count == 0) {
280 result = NT_STATUS_NONE_MAPPED;
284 if (!((*sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_names)))) {
285 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
286 result = NT_STATUS_NO_MEMORY;
290 if (!((*types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_names)))) {
291 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
292 result = NT_STATUS_NO_MEMORY;
296 if (dom_names != NULL) {
297 *dom_names = TALLOC_ARRAY(mem_ctx, const char *, num_names);
298 if (*dom_names == NULL) {
299 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
300 result = NT_STATUS_NO_MEMORY;
305 for (i = 0; i < num_names; i++) {
306 DOM_RID *t_rids = r.dom_rid;
307 uint32 dom_idx = t_rids[i].rid_idx;
308 uint32 dom_rid = t_rids[i].rid;
309 DOM_SID *sid = &(*sids)[i];
311 /* Translate optimised sid through domain index array */
313 if (dom_idx == 0xffffffff) {
314 /* Nothing to do, this is unknown */
316 (*types)[i] = SID_NAME_UNKNOWN;
320 sid_copy(sid, &ref.ref_dom[dom_idx].ref_dom.sid);
322 if (dom_rid != 0xffffffff) {
323 sid_append_rid(sid, dom_rid);
326 (*types)[i] = (enum lsa_SidType)t_rids[i].type;
328 if (dom_names == NULL) {
332 (*dom_names)[i] = rpcstr_pull_unistr2_talloc(
333 *dom_names, &ref.ref_dom[dom_idx].uni_dom_name);
341 NTSTATUS rpccli_lsa_query_info_policy_new(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
342 POLICY_HND *pol, uint16 info_class,
345 prs_struct qbuf, rbuf;
353 init_q_query(&q, pol, info_class);
355 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
360 NT_STATUS_UNSUCCESSFUL);
364 if (!NT_STATUS_IS_OK(result)) {
375 NTSTATUS rpccli_lsa_query_info_policy2_new(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
376 POLICY_HND *pol, uint16 info_class,
379 prs_struct qbuf, rbuf;
387 init_q_query2(&q, pol, info_class);
389 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
392 lsa_io_q_query_info2,
393 lsa_io_r_query_info2,
394 NT_STATUS_UNSUCCESSFUL);
398 if (!NT_STATUS_IS_OK(result)) {
411 /** Query info policy
413 * @param domain_sid - returned remote server's domain sid */
415 NTSTATUS rpccli_lsa_query_info_policy(struct rpc_pipe_client *cli,
417 POLICY_HND *pol, uint16 info_class,
418 char **domain_name, DOM_SID **domain_sid)
420 prs_struct qbuf, rbuf;
428 init_q_query(&q, pol, info_class);
430 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
435 NT_STATUS_UNSUCCESSFUL);
439 if (!NT_STATUS_IS_OK(result)) {
443 /* Return output parameters */
445 switch (info_class) {
448 if (domain_name && (r.ctr.info.id3.buffer_dom_name != 0)) {
449 *domain_name = unistr2_tdup(mem_ctx,
453 return NT_STATUS_NO_MEMORY;
457 if (domain_sid && (r.ctr.info.id3.buffer_dom_sid != 0)) {
458 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
460 return NT_STATUS_NO_MEMORY;
462 sid_copy(*domain_sid, &r.ctr.info.id3.dom_sid.sid);
469 if (domain_name && (r.ctr.info.id5.buffer_dom_name != 0)) {
470 *domain_name = unistr2_tdup(mem_ctx,
474 return NT_STATUS_NO_MEMORY;
478 if (domain_sid && (r.ctr.info.id5.buffer_dom_sid != 0)) {
479 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
481 return NT_STATUS_NO_MEMORY;
483 sid_copy(*domain_sid, &r.ctr.info.id5.dom_sid.sid);
488 DEBUG(3, ("unknown info class %d\n", info_class));
497 /** Query info policy2
499 * @param domain_name - returned remote server's domain name
500 * @param dns_name - returned remote server's dns domain name
501 * @param forest_name - returned remote server's forest name
502 * @param domain_guid - returned remote server's domain guid
503 * @param domain_sid - returned remote server's domain sid */
505 NTSTATUS rpccli_lsa_query_info_policy2(struct rpc_pipe_client *cli,
507 POLICY_HND *pol, uint16 info_class,
508 char **domain_name, char **dns_name,
510 struct GUID **domain_guid,
511 DOM_SID **domain_sid)
513 prs_struct qbuf, rbuf;
516 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
518 if (info_class != 12)
524 init_q_query2(&q, pol, info_class);
526 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
529 lsa_io_q_query_info2,
530 lsa_io_r_query_info2,
531 NT_STATUS_UNSUCCESSFUL);
535 if (!NT_STATUS_IS_OK(result)) {
539 /* Return output parameters */
541 ZERO_STRUCTP(domain_guid);
543 if (domain_name && r.ctr.info.id12.hdr_nb_dom_name.buffer) {
544 *domain_name = unistr2_tdup(mem_ctx,
548 return NT_STATUS_NO_MEMORY;
551 if (dns_name && r.ctr.info.id12.hdr_dns_dom_name.buffer) {
552 *dns_name = unistr2_tdup(mem_ctx,
556 return NT_STATUS_NO_MEMORY;
559 if (forest_name && r.ctr.info.id12.hdr_forest_name.buffer) {
560 *forest_name = unistr2_tdup(mem_ctx,
564 return NT_STATUS_NO_MEMORY;
569 *domain_guid = TALLOC_P(mem_ctx, struct GUID);
571 return NT_STATUS_NO_MEMORY;
574 &r.ctr.info.id12.dom_guid,
575 sizeof(struct GUID));
578 if (domain_sid && r.ctr.info.id12.ptr_dom_sid != 0) {
579 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
581 return NT_STATUS_NO_MEMORY;
583 sid_copy(*domain_sid,
584 &r.ctr.info.id12.dom_sid.sid);
592 NTSTATUS rpccli_lsa_set_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
593 POLICY_HND *pol, uint16 info_class,
596 prs_struct qbuf, rbuf;
604 init_q_set(&q, pol, info_class, ctr);
606 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_SETINFOPOLICY,
611 NT_STATUS_UNSUCCESSFUL);
615 if (!NT_STATUS_IS_OK(result)) {
619 /* Return output parameters */
628 * Enumerate list of trusted domains
630 * @param cli client state (cli_state) structure of the connection
631 * @param mem_ctx memory context
632 * @param pol opened lsa policy handle
633 * @param enum_ctx enumeration context ie. index of first returned domain entry
634 * @param pref_num_domains preferred max number of entries returned in one response
635 * @param num_domains total number of trusted domains returned by response
636 * @param domain_names returned trusted domain names
637 * @param domain_sids returned trusted domain sids
639 * @return nt status code of response
642 NTSTATUS rpccli_lsa_enum_trust_dom(struct rpc_pipe_client *cli,
644 POLICY_HND *pol, uint32 *enum_ctx,
646 char ***domain_names, DOM_SID **domain_sids)
648 prs_struct qbuf, rbuf;
649 LSA_Q_ENUM_TRUST_DOM in;
650 LSA_R_ENUM_TRUST_DOM out;
657 /* 64k is enough for about 2000 trusted domains */
659 init_q_enum_trust_dom(&in, pol, *enum_ctx, 0x10000);
661 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMTRUSTDOM,
664 lsa_io_q_enum_trust_dom,
665 lsa_io_r_enum_trust_dom,
666 NT_STATUS_UNSUCCESSFUL );
669 /* check for an actual error */
671 if ( !NT_STATUS_IS_OK(out.status)
672 && !NT_STATUS_EQUAL(out.status, NT_STATUS_NO_MORE_ENTRIES)
673 && !NT_STATUS_EQUAL(out.status, STATUS_MORE_ENTRIES) )
678 /* Return output parameters */
680 *num_domains = out.count;
681 *enum_ctx = out.enum_context;
685 /* Allocate memory for trusted domain names and sids */
687 if ( !(*domain_names = TALLOC_ARRAY(mem_ctx, char *, out.count)) ) {
688 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
689 return NT_STATUS_NO_MEMORY;
692 if ( !(*domain_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, out.count)) ) {
693 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
694 return NT_STATUS_NO_MEMORY;
697 /* Copy across names and sids */
699 for (i = 0; i < out.count; i++) {
701 rpcstr_pull( tmp, out.domlist->domains[i].name.string->buffer,
702 sizeof(tmp), out.domlist->domains[i].name.length, 0);
703 (*domain_names)[i] = talloc_strdup(mem_ctx, tmp);
705 sid_copy(&(*domain_sids)[i], &out.domlist->domains[i].sid->sid );
712 /** Enumerate privileges*/
714 NTSTATUS rpccli_lsa_enum_privilege(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
715 POLICY_HND *pol, uint32 *enum_context, uint32 pref_max_length,
716 uint32 *count, char ***privs_name, uint32 **privs_high, uint32 **privs_low)
718 prs_struct qbuf, rbuf;
727 init_q_enum_privs(&q, pol, *enum_context, pref_max_length);
729 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_PRIVS,
734 NT_STATUS_UNSUCCESSFUL);
738 if (!NT_STATUS_IS_OK(result)) {
742 /* Return output parameters */
744 *enum_context = r.enum_context;
747 if (!((*privs_name = TALLOC_ARRAY(mem_ctx, char *, r.count)))) {
748 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
749 result = NT_STATUS_UNSUCCESSFUL;
753 if (!((*privs_high = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
754 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
755 result = NT_STATUS_UNSUCCESSFUL;
759 if (!((*privs_low = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
760 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
761 result = NT_STATUS_UNSUCCESSFUL;
765 for (i = 0; i < r.count; i++) {
768 rpcstr_pull_unistr2_fstring( name, &r.privs[i].name);
770 (*privs_name)[i] = talloc_strdup(mem_ctx, name);
772 (*privs_high)[i] = r.privs[i].luid_high;
773 (*privs_low)[i] = r.privs[i].luid_low;
781 /** Get privilege name */
783 NTSTATUS rpccli_lsa_get_dispname(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
784 POLICY_HND *pol, const char *name,
785 uint16 lang_id, uint16 lang_id_sys,
786 fstring description, uint16 *lang_id_desc)
788 prs_struct qbuf, rbuf;
789 LSA_Q_PRIV_GET_DISPNAME q;
790 LSA_R_PRIV_GET_DISPNAME r;
796 init_lsa_priv_get_dispname(&q, pol, name, lang_id, lang_id_sys);
798 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_PRIV_GET_DISPNAME,
801 lsa_io_q_priv_get_dispname,
802 lsa_io_r_priv_get_dispname,
803 NT_STATUS_UNSUCCESSFUL);
807 if (!NT_STATUS_IS_OK(result)) {
811 /* Return output parameters */
813 rpcstr_pull_unistr2_fstring(description , &r.desc);
814 *lang_id_desc = r.lang_id;
821 /** Enumerate list of SIDs */
823 NTSTATUS rpccli_lsa_enum_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
824 POLICY_HND *pol, uint32 *enum_ctx, uint32 pref_max_length,
825 uint32 *num_sids, DOM_SID **sids)
827 prs_struct qbuf, rbuf;
828 LSA_Q_ENUM_ACCOUNTS q;
829 LSA_R_ENUM_ACCOUNTS r;
836 init_lsa_q_enum_accounts(&q, pol, *enum_ctx, pref_max_length);
838 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_ACCOUNTS,
841 lsa_io_q_enum_accounts,
842 lsa_io_r_enum_accounts,
843 NT_STATUS_UNSUCCESSFUL);
847 if (!NT_STATUS_IS_OK(result)) {
851 if (r.sids.num_entries==0)
854 /* Return output parameters */
856 *sids = TALLOC_ARRAY(mem_ctx, DOM_SID, r.sids.num_entries);
858 DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
859 result = NT_STATUS_UNSUCCESSFUL;
863 /* Copy across names and sids */
865 for (i = 0; i < r.sids.num_entries; i++) {
866 sid_copy(&(*sids)[i], &r.sids.sid[i].sid);
869 *num_sids= r.sids.num_entries;
870 *enum_ctx = r.enum_context;
877 /** Create a LSA user handle
879 * @param cli Handle on an initialised SMB connection
881 * FIXME: The code is actually identical to open account
882 * TODO: Check and code what the function should exactly do
886 NTSTATUS rpccli_lsa_create_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
887 POLICY_HND *dom_pol, DOM_SID *sid, uint32 desired_access,
888 POLICY_HND *user_pol)
890 prs_struct qbuf, rbuf;
891 LSA_Q_CREATEACCOUNT q;
892 LSA_R_CREATEACCOUNT r;
898 /* Initialise input parameters */
900 init_lsa_q_create_account(&q, dom_pol, sid, desired_access);
902 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_CREATEACCOUNT,
905 lsa_io_q_create_account,
906 lsa_io_r_create_account,
907 NT_STATUS_UNSUCCESSFUL);
909 /* Return output parameters */
913 if (NT_STATUS_IS_OK(result)) {
920 /** Open a LSA user handle
922 * @param cli Handle on an initialised SMB connection */
924 NTSTATUS rpccli_lsa_open_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
925 POLICY_HND *dom_pol, DOM_SID *sid, uint32 des_access,
926 POLICY_HND *user_pol)
928 prs_struct qbuf, rbuf;
936 /* Initialise input parameters */
938 init_lsa_q_open_account(&q, dom_pol, sid, des_access);
940 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENACCOUNT,
943 lsa_io_q_open_account,
944 lsa_io_r_open_account,
945 NT_STATUS_UNSUCCESSFUL);
947 /* Return output parameters */
951 if (NT_STATUS_IS_OK(result)) {
958 /** Enumerate user privileges
960 * @param cli Handle on an initialised SMB connection */
962 NTSTATUS rpccli_lsa_enum_privsaccount(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
963 POLICY_HND *pol, uint32 *count, LUID_ATTR **set)
965 prs_struct qbuf, rbuf;
966 LSA_Q_ENUMPRIVSACCOUNT q;
967 LSA_R_ENUMPRIVSACCOUNT r;
974 /* Initialise input parameters */
976 init_lsa_q_enum_privsaccount(&q, pol);
978 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMPRIVSACCOUNT,
981 lsa_io_q_enum_privsaccount,
982 lsa_io_r_enum_privsaccount,
983 NT_STATUS_UNSUCCESSFUL);
985 /* Return output parameters */
989 if (!NT_STATUS_IS_OK(result)) {
996 if (!((*set = TALLOC_ARRAY(mem_ctx, LUID_ATTR, r.count)))) {
997 DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
998 result = NT_STATUS_UNSUCCESSFUL;
1002 for (i=0; i<r.count; i++) {
1003 (*set)[i].luid.low = r.set.set[i].luid.low;
1004 (*set)[i].luid.high = r.set.set[i].luid.high;
1005 (*set)[i].attr = r.set.set[i].attr;
1014 /** Get a privilege value given its name */
1016 NTSTATUS rpccli_lsa_lookup_priv_value(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1017 POLICY_HND *pol, const char *name, LUID *luid)
1019 prs_struct qbuf, rbuf;
1020 LSA_Q_LOOKUP_PRIV_VALUE q;
1021 LSA_R_LOOKUP_PRIV_VALUE r;
1027 /* Marshall data and send request */
1029 init_lsa_q_lookup_priv_value(&q, pol, name);
1031 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPPRIVVALUE,
1034 lsa_io_q_lookup_priv_value,
1035 lsa_io_r_lookup_priv_value,
1036 NT_STATUS_UNSUCCESSFUL);
1040 if (!NT_STATUS_IS_OK(result)) {
1044 /* Return output parameters */
1046 (*luid).low=r.luid.low;
1047 (*luid).high=r.luid.high;
1054 /** Query LSA security object */
1056 NTSTATUS rpccli_lsa_query_secobj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1057 POLICY_HND *pol, uint32 sec_info,
1058 SEC_DESC_BUF **psdb)
1060 prs_struct qbuf, rbuf;
1061 LSA_Q_QUERY_SEC_OBJ q;
1062 LSA_R_QUERY_SEC_OBJ r;
1068 /* Marshall data and send request */
1070 init_q_query_sec_obj(&q, pol, sec_info);
1072 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYSECOBJ,
1075 lsa_io_q_query_sec_obj,
1076 lsa_io_r_query_sec_obj,
1077 NT_STATUS_UNSUCCESSFUL);
1081 if (!NT_STATUS_IS_OK(result)) {
1085 /* Return output parameters */
1096 /* Enumerate account rights This is similar to enum_privileges but
1097 takes a SID directly, avoiding the open_account call.
1100 NTSTATUS rpccli_lsa_enum_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1101 POLICY_HND *pol, DOM_SID *sid,
1102 uint32 *count, char ***priv_names)
1104 prs_struct qbuf, rbuf;
1105 LSA_Q_ENUM_ACCT_RIGHTS q;
1106 LSA_R_ENUM_ACCT_RIGHTS r;
1109 fstring *privileges;
1115 /* Marshall data and send request */
1116 init_q_enum_acct_rights(&q, pol, 2, sid);
1118 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMACCTRIGHTS,
1121 lsa_io_q_enum_acct_rights,
1122 lsa_io_r_enum_acct_rights,
1123 NT_STATUS_UNSUCCESSFUL);
1127 if (!NT_STATUS_IS_OK(result)) {
1137 privileges = TALLOC_ARRAY( mem_ctx, fstring, *count );
1138 names = TALLOC_ARRAY( mem_ctx, char *, *count );
1140 if ((privileges == NULL) || (names == NULL)) {
1141 TALLOC_FREE(privileges);
1143 return NT_STATUS_NO_MEMORY;
1146 for ( i=0; i<*count; i++ ) {
1147 UNISTR4 *uni_string = &r.rights->strings[i];
1149 if ( !uni_string->string )
1152 rpcstr_pull( privileges[i], uni_string->string->buffer, sizeof(privileges[i]), -1, STR_TERMINATE );
1154 /* now copy to the return array */
1155 names[i] = talloc_strdup( mem_ctx, privileges[i] );
1158 *priv_names = names;
1167 /* add account rights to an account. */
1169 NTSTATUS rpccli_lsa_add_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1170 POLICY_HND *pol, DOM_SID sid,
1171 uint32 count, const char **privs_name)
1173 prs_struct qbuf, rbuf;
1174 LSA_Q_ADD_ACCT_RIGHTS q;
1175 LSA_R_ADD_ACCT_RIGHTS r;
1181 /* Marshall data and send request */
1182 init_q_add_acct_rights(&q, pol, &sid, count, privs_name);
1184 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ADDACCTRIGHTS,
1187 lsa_io_q_add_acct_rights,
1188 lsa_io_r_add_acct_rights,
1189 NT_STATUS_UNSUCCESSFUL);
1193 if (!NT_STATUS_IS_OK(result)) {
1202 /* remove account rights for an account. */
1204 NTSTATUS rpccli_lsa_remove_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1205 POLICY_HND *pol, DOM_SID sid, BOOL removeall,
1206 uint32 count, const char **privs_name)
1208 prs_struct qbuf, rbuf;
1209 LSA_Q_REMOVE_ACCT_RIGHTS q;
1210 LSA_R_REMOVE_ACCT_RIGHTS r;
1216 /* Marshall data and send request */
1217 init_q_remove_acct_rights(&q, pol, &sid, removeall?1:0, count, privs_name);
1219 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_REMOVEACCTRIGHTS,
1222 lsa_io_q_remove_acct_rights,
1223 lsa_io_r_remove_acct_rights,
1224 NT_STATUS_UNSUCCESSFUL);
1228 if (!NT_STATUS_IS_OK(result)) {
1239 /** An example of how to use the routines in this file. Fetch a DOMAIN
1240 sid. Does complete cli setup / teardown anonymously. */
1242 BOOL fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
1244 extern pstring global_myname;
1245 struct cli_state *cli;
1251 if((cli = cli_initialise()) == NULL) {
1252 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
1256 if(!resolve_name( remote_machine, &cli->dest_ip, 0x20)) {
1257 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
1261 if (!cli_connect(cli, remote_machine, &cli->dest_ip)) {
1262 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
1263 machine %s. Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1267 if (!attempt_netbios_session_request(cli, global_myname, remote_machine, &cli->dest_ip)) {
1268 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
1273 cli->protocol = PROTOCOL_NT1;
1275 if (!cli_negprot(cli)) {
1276 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
1277 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1281 if (cli->protocol != PROTOCOL_NT1) {
1282 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
1288 * Do an anonymous session setup.
1291 if (!cli_session_setup(cli, "", "", 0, "", 0, "")) {
1292 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
1293 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1297 if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
1298 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
1303 if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) {
1304 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
1305 Error was : %s.\n", remote_machine, cli_errstr(cli) ));
1309 /* Fetch domain sid */
1311 if (!cli_nt_session_open(cli, PI_LSARPC)) {
1312 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
1316 result = cli_lsa_open_policy(cli, cli->mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
1317 if (!NT_STATUS_IS_OK(result)) {
1318 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
1319 nt_errstr(result) ));
1323 result = cli_lsa_query_info_policy(cli, cli->mem_ctx, &lsa_pol, 5, domain, psid);
1324 if (!NT_STATUS_IS_OK(result)) {
1325 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
1326 nt_errstr(result) ));
1340 NTSTATUS rpccli_lsa_open_trusted_domain(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1341 POLICY_HND *pol, DOM_SID *dom_sid, uint32 access_mask,
1342 POLICY_HND *trustdom_pol)
1344 prs_struct qbuf, rbuf;
1345 LSA_Q_OPEN_TRUSTED_DOMAIN q;
1346 LSA_R_OPEN_TRUSTED_DOMAIN r;
1352 /* Initialise input parameters */
1354 init_lsa_q_open_trusted_domain(&q, pol, dom_sid, access_mask);
1356 /* Marshall data and send request */
1358 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOM,
1361 lsa_io_q_open_trusted_domain,
1362 lsa_io_r_open_trusted_domain,
1363 NT_STATUS_UNSUCCESSFUL);
1365 /* Return output parameters */
1369 if (NT_STATUS_IS_OK(result)) {
1370 *trustdom_pol = r.handle;
1376 NTSTATUS rpccli_lsa_query_trusted_domain_info(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1379 LSA_TRUSTED_DOMAIN_INFO **info)
1381 prs_struct qbuf, rbuf;
1382 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO q;
1383 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1384 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1389 /* Marshall data and send request */
1391 init_q_query_trusted_domain_info(&q, pol, info_class);
1393 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFO,
1396 lsa_io_q_query_trusted_domain_info,
1397 lsa_io_r_query_trusted_domain_info,
1398 NT_STATUS_UNSUCCESSFUL);
1402 if (!NT_STATUS_IS_OK(result)) {
1412 NTSTATUS rpccli_lsa_open_trusted_domain_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1413 POLICY_HND *pol, const char *name, uint32 access_mask,
1414 POLICY_HND *trustdom_pol)
1416 prs_struct qbuf, rbuf;
1417 LSA_Q_OPEN_TRUSTED_DOMAIN_BY_NAME q;
1418 LSA_R_OPEN_TRUSTED_DOMAIN_BY_NAME r;
1424 /* Initialise input parameters */
1426 init_lsa_q_open_trusted_domain_by_name(&q, pol, name, access_mask);
1428 /* Marshall data and send request */
1430 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOMBYNAME,
1433 lsa_io_q_open_trusted_domain_by_name,
1434 lsa_io_r_open_trusted_domain_by_name,
1435 NT_STATUS_UNSUCCESSFUL);
1437 /* Return output parameters */
1441 if (NT_STATUS_IS_OK(result)) {
1442 *trustdom_pol = r.handle;
1449 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_sid(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1451 uint16 info_class, DOM_SID *dom_sid,
1452 LSA_TRUSTED_DOMAIN_INFO **info)
1454 prs_struct qbuf, rbuf;
1455 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_SID q;
1456 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1457 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1462 /* Marshall data and send request */
1464 init_q_query_trusted_domain_info_by_sid(&q, pol, info_class, dom_sid);
1466 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYSID,
1469 lsa_io_q_query_trusted_domain_info_by_sid,
1470 lsa_io_r_query_trusted_domain_info,
1471 NT_STATUS_UNSUCCESSFUL);
1475 if (!NT_STATUS_IS_OK(result)) {
1486 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1488 uint16 info_class, const char *domain_name,
1489 LSA_TRUSTED_DOMAIN_INFO **info)
1491 prs_struct qbuf, rbuf;
1492 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_NAME q;
1493 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1494 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1499 /* Marshall data and send request */
1501 init_q_query_trusted_domain_info_by_name(&q, pol, info_class, domain_name);
1503 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYNAME,
1506 lsa_io_q_query_trusted_domain_info_by_name,
1507 lsa_io_r_query_trusted_domain_info,
1508 NT_STATUS_UNSUCCESSFUL);
1512 if (!NT_STATUS_IS_OK(result)) {
1523 NTSTATUS cli_lsa_query_domain_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1525 uint16 info_class, LSA_DOM_INFO_UNION **info)
1527 prs_struct qbuf, rbuf;
1528 LSA_Q_QUERY_DOM_INFO_POLICY q;
1529 LSA_R_QUERY_DOM_INFO_POLICY r;
1530 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1535 /* Marshall data and send request */
1537 init_q_query_dom_info(&q, pol, info_class);
1539 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYDOMINFOPOL,
1542 lsa_io_q_query_dom_info,
1543 lsa_io_r_query_dom_info,
1544 NT_STATUS_UNSUCCESSFUL);
1548 if (!NT_STATUS_IS_OK(result)) {