2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /** @defgroup lsa LSA - Local Security Architecture
35 * RPC client routines for the LSA RPC pipe. LSA means "local
36 * security authority", which is half of a password database.
39 /** Open a LSA policy handle
41 * @param cli Handle on an initialised SMB connection */
43 NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
45 BOOL sec_qos, uint32 des_access,
48 prs_struct qbuf, rbuf;
57 /* Initialise input parameters */
60 init_lsa_sec_qos(&qos, 2, 1, 0);
61 init_q_open_pol(&q, '\\', 0, des_access, &qos);
63 init_q_open_pol(&q, '\\', 0, des_access, NULL);
66 /* Marshall data and send request */
68 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY,
73 NT_STATUS_UNSUCCESSFUL );
75 /* Return output parameters */
77 if (NT_STATUS_IS_OK(result = r.status)) {
80 pol->marker = MALLOC(1);
87 /** Open a LSA policy handle
89 * @param cli Handle on an initialised SMB connection
92 NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
93 TALLOC_CTX *mem_ctx, BOOL sec_qos,
94 uint32 des_access, POLICY_HND *pol)
96 prs_struct qbuf, rbuf;
101 char *srv_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", cli->cli->desthost);
107 init_lsa_sec_qos(&qos, 2, 1, 0);
108 init_q_open_pol2(&q, srv_name_slash, 0, des_access, &qos);
110 init_q_open_pol2(&q, srv_name_slash, 0, des_access, NULL);
113 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY2,
118 NT_STATUS_UNSUCCESSFUL );
120 /* Return output parameters */
122 if (NT_STATUS_IS_OK(result = r.status)) {
125 pol->marker = (char *)malloc(1);
132 /** Close a LSA policy handle */
134 NTSTATUS rpccli_lsa_close(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
137 prs_struct qbuf, rbuf;
145 init_lsa_q_close(&q, pol);
147 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_CLOSE,
152 NT_STATUS_UNSUCCESSFUL );
154 /* Return output parameters */
156 if (NT_STATUS_IS_OK(result = r.status)) {
158 SAFE_FREE(pol->marker);
166 /** Lookup a list of sids */
168 NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
170 POLICY_HND *pol, int num_sids,
172 char ***domains, char ***names, uint32 **types)
174 prs_struct qbuf, rbuf;
178 LSA_TRANS_NAME_ENUM t_names;
179 NTSTATUS result = NT_STATUS_OK;
185 init_q_lookup_sids(mem_ctx, &q, pol, num_sids, sids, 1);
188 ZERO_STRUCT(t_names);
193 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPSIDS,
196 lsa_io_q_lookup_sids,
197 lsa_io_r_lookup_sids,
198 NT_STATUS_UNSUCCESSFUL );
200 if (!NT_STATUS_IS_OK(r.status) &&
201 NT_STATUS_V(r.status) != NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
203 /* An actual error occured */
209 /* Return output parameters */
211 if (r.mapped_count == 0) {
212 result = NT_STATUS_NONE_MAPPED;
216 if (!((*domains) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
217 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
218 result = NT_STATUS_UNSUCCESSFUL;
222 if (!((*names) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
223 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
224 result = NT_STATUS_UNSUCCESSFUL;
228 if (!((*types) = TALLOC_ARRAY(mem_ctx, uint32, num_sids))) {
229 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
230 result = NT_STATUS_UNSUCCESSFUL;
234 for (i = 0; i < num_sids; i++) {
235 fstring name, dom_name;
236 uint32 dom_idx = t_names.name[i].domain_idx;
238 /* Translate optimised name through domain index array */
240 if (dom_idx != 0xffffffff) {
242 rpcstr_pull_unistr2_fstring(
243 dom_name, &ref.ref_dom[dom_idx].uni_dom_name);
244 rpcstr_pull_unistr2_fstring(
245 name, &t_names.uni_name[i]);
247 (*names)[i] = talloc_strdup(mem_ctx, name);
248 (*domains)[i] = talloc_strdup(mem_ctx, dom_name);
249 (*types)[i] = t_names.name[i].sid_name_use;
251 if (((*names)[i] == NULL) || ((*domains)[i] == NULL)) {
252 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
253 result = NT_STATUS_UNSUCCESSFUL;
259 (*domains)[i] = NULL;
260 (*types)[i] = SID_NAME_UNKNOWN;
269 /** Lookup a list of names */
271 NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
273 POLICY_HND *pol, int num_names,
274 const char **names, DOM_SID **sids,
277 prs_struct qbuf, rbuf;
278 LSA_Q_LOOKUP_NAMES q;
279 LSA_R_LOOKUP_NAMES r;
290 init_q_lookup_names(mem_ctx, &q, pol, num_names, names);
292 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPNAMES,
295 lsa_io_q_lookup_names,
296 lsa_io_r_lookup_names,
297 NT_STATUS_UNSUCCESSFUL);
301 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
302 NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
304 /* An actual error occured */
309 /* Return output parameters */
311 if (r.mapped_count == 0) {
312 result = NT_STATUS_NONE_MAPPED;
316 if (!((*sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_names)))) {
317 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
318 result = NT_STATUS_UNSUCCESSFUL;
322 if (!((*types = TALLOC_ARRAY(mem_ctx, uint32, num_names)))) {
323 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
324 result = NT_STATUS_UNSUCCESSFUL;
328 for (i = 0; i < num_names; i++) {
329 DOM_RID2 *t_rids = r.dom_rid;
330 uint32 dom_idx = t_rids[i].rid_idx;
331 uint32 dom_rid = t_rids[i].rid;
332 DOM_SID *sid = &(*sids)[i];
334 /* Translate optimised sid through domain index array */
336 if (dom_idx != 0xffffffff) {
338 sid_copy(sid, &ref.ref_dom[dom_idx].ref_dom.sid);
340 if (dom_rid != 0xffffffff) {
341 sid_append_rid(sid, dom_rid);
344 (*types)[i] = t_rids[i].type;
347 (*types)[i] = SID_NAME_UNKNOWN;
356 /** Query info policy
358 * @param domain_sid - returned remote server's domain sid */
360 NTSTATUS rpccli_lsa_query_info_policy(struct rpc_pipe_client *cli,
362 POLICY_HND *pol, uint16 info_class,
363 char **domain_name, DOM_SID **domain_sid)
365 prs_struct qbuf, rbuf;
373 init_q_query(&q, pol, info_class);
375 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
380 NT_STATUS_UNSUCCESSFUL);
382 if (!NT_STATUS_IS_OK(result = r.status)) {
386 /* Return output parameters */
388 switch (info_class) {
391 if (domain_name && (r.dom.id3.buffer_dom_name != 0)) {
392 *domain_name = unistr2_tdup(mem_ctx,
397 if (domain_sid && (r.dom.id3.buffer_dom_sid != 0)) {
398 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
400 sid_copy(*domain_sid, &r.dom.id3.dom_sid.sid);
408 if (domain_name && (r.dom.id5.buffer_dom_name != 0)) {
409 *domain_name = unistr2_tdup(mem_ctx,
414 if (domain_sid && (r.dom.id5.buffer_dom_sid != 0)) {
415 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
417 sid_copy(*domain_sid, &r.dom.id5.dom_sid.sid);
423 DEBUG(3, ("unknown info class %d\n", info_class));
432 /** Query info policy2
434 * @param domain_name - returned remote server's domain name
435 * @param dns_name - returned remote server's dns domain name
436 * @param forest_name - returned remote server's forest name
437 * @param domain_guid - returned remote server's domain guid
438 * @param domain_sid - returned remote server's domain sid */
440 NTSTATUS rpccli_lsa_query_info_policy2(struct rpc_pipe_client *cli,
442 POLICY_HND *pol, uint16 info_class,
443 char **domain_name, char **dns_name,
445 struct uuid **domain_guid,
446 DOM_SID **domain_sid)
448 prs_struct qbuf, rbuf;
451 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
453 if (info_class != 12)
459 init_q_query2(&q, pol, info_class);
461 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
464 lsa_io_q_query_info2,
465 lsa_io_r_query_info2,
466 NT_STATUS_UNSUCCESSFUL);
468 if (!NT_STATUS_IS_OK(result = r.status)) {
472 /* Return output parameters */
474 ZERO_STRUCTP(domain_guid);
476 if (domain_name && r.info.dns_dom_info.hdr_nb_dom_name.buffer) {
477 *domain_name = unistr2_tdup(mem_ctx,
481 if (dns_name && r.info.dns_dom_info.hdr_dns_dom_name.buffer) {
482 *dns_name = unistr2_tdup(mem_ctx,
486 if (forest_name && r.info.dns_dom_info.hdr_forest_name.buffer) {
487 *forest_name = unistr2_tdup(mem_ctx,
493 *domain_guid = TALLOC_P(mem_ctx, struct uuid);
495 &r.info.dns_dom_info.dom_guid,
496 sizeof(struct uuid));
499 if (domain_sid && r.info.dns_dom_info.ptr_dom_sid != 0) {
500 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
502 sid_copy(*domain_sid,
503 &r.info.dns_dom_info.dom_sid.sid);
513 * Enumerate list of trusted domains
515 * @param cli client state (cli_state) structure of the connection
516 * @param mem_ctx memory context
517 * @param pol opened lsa policy handle
518 * @param enum_ctx enumeration context ie. index of first returned domain entry
519 * @param pref_num_domains preferred max number of entries returned in one response
520 * @param num_domains total number of trusted domains returned by response
521 * @param domain_names returned trusted domain names
522 * @param domain_sids returned trusted domain sids
524 * @return nt status code of response
527 NTSTATUS rpccli_lsa_enum_trust_dom(struct rpc_pipe_client *cli,
529 POLICY_HND *pol, uint32 *enum_ctx,
531 char ***domain_names, DOM_SID **domain_sids)
533 prs_struct qbuf, rbuf;
534 LSA_Q_ENUM_TRUST_DOM in;
535 LSA_R_ENUM_TRUST_DOM out;
542 /* 64k is enough for about 2000 trusted domains */
544 init_q_enum_trust_dom(&in, pol, *enum_ctx, 0x10000);
546 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMTRUSTDOM,
549 lsa_io_q_enum_trust_dom,
550 lsa_io_r_enum_trust_dom,
551 NT_STATUS_UNSUCCESSFUL );
554 /* check for an actual error */
556 if ( !NT_STATUS_IS_OK(out.status)
557 && !NT_STATUS_EQUAL(out.status, NT_STATUS_NO_MORE_ENTRIES)
558 && !NT_STATUS_EQUAL(out.status, STATUS_MORE_ENTRIES) )
563 /* Return output parameters */
565 *num_domains = out.count;
566 *enum_ctx = out.enum_context;
570 /* Allocate memory for trusted domain names and sids */
572 if ( !(*domain_names = TALLOC_ARRAY(mem_ctx, char *, out.count)) ) {
573 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
574 return NT_STATUS_NO_MEMORY;
577 if ( !(*domain_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, out.count)) ) {
578 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
579 return NT_STATUS_NO_MEMORY;
582 /* Copy across names and sids */
584 for (i = 0; i < out.count; i++) {
586 rpcstr_pull( tmp, out.domlist->domains[i].name.string->buffer,
587 sizeof(tmp), out.domlist->domains[i].name.length, 0);
588 (*domain_names)[i] = talloc_strdup(mem_ctx, tmp);
590 sid_copy(&(*domain_sids)[i], &out.domlist->domains[i].sid->sid );
597 /** Enumerate privileges*/
599 NTSTATUS rpccli_lsa_enum_privilege(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
600 POLICY_HND *pol, uint32 *enum_context, uint32 pref_max_length,
601 uint32 *count, char ***privs_name, uint32 **privs_high, uint32 **privs_low)
603 prs_struct qbuf, rbuf;
612 init_q_enum_privs(&q, pol, *enum_context, pref_max_length);
614 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_PRIVS,
619 NT_STATUS_UNSUCCESSFUL);
621 if (!NT_STATUS_IS_OK(result = r.status)) {
625 /* Return output parameters */
627 *enum_context = r.enum_context;
630 if (!((*privs_name = TALLOC_ARRAY(mem_ctx, char *, r.count)))) {
631 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
632 result = NT_STATUS_UNSUCCESSFUL;
636 if (!((*privs_high = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
637 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
638 result = NT_STATUS_UNSUCCESSFUL;
642 if (!((*privs_low = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
643 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
644 result = NT_STATUS_UNSUCCESSFUL;
648 for (i = 0; i < r.count; i++) {
651 rpcstr_pull_unistr2_fstring( name, &r.privs[i].name);
653 (*privs_name)[i] = talloc_strdup(mem_ctx, name);
655 (*privs_high)[i] = r.privs[i].luid_high;
656 (*privs_low)[i] = r.privs[i].luid_low;
664 /** Get privilege name */
666 NTSTATUS rpccli_lsa_get_dispname(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
667 POLICY_HND *pol, const char *name,
668 uint16 lang_id, uint16 lang_id_sys,
669 fstring description, uint16 *lang_id_desc)
671 prs_struct qbuf, rbuf;
672 LSA_Q_PRIV_GET_DISPNAME q;
673 LSA_R_PRIV_GET_DISPNAME r;
679 init_lsa_priv_get_dispname(&q, pol, name, lang_id, lang_id_sys);
681 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_PRIV_GET_DISPNAME,
684 lsa_io_q_priv_get_dispname,
685 lsa_io_r_priv_get_dispname,
686 NT_STATUS_UNSUCCESSFUL);
688 if (!NT_STATUS_IS_OK(result = r.status)) {
692 /* Return output parameters */
694 rpcstr_pull_unistr2_fstring(description , &r.desc);
695 *lang_id_desc = r.lang_id;
702 /** Enumerate list of SIDs */
704 NTSTATUS rpccli_lsa_enum_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
705 POLICY_HND *pol, uint32 *enum_ctx, uint32 pref_max_length,
706 uint32 *num_sids, DOM_SID **sids)
708 prs_struct qbuf, rbuf;
709 LSA_Q_ENUM_ACCOUNTS q;
710 LSA_R_ENUM_ACCOUNTS r;
717 init_lsa_q_enum_accounts(&q, pol, *enum_ctx, pref_max_length);
719 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_ACCOUNTS,
722 lsa_io_q_enum_accounts,
723 lsa_io_r_enum_accounts,
724 NT_STATUS_UNSUCCESSFUL);
728 if (!NT_STATUS_IS_OK(result = r.status)) {
732 if (r.sids.num_entries==0)
735 /* Return output parameters */
737 *sids = TALLOC_ARRAY(mem_ctx, DOM_SID, r.sids.num_entries);
739 DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
740 result = NT_STATUS_UNSUCCESSFUL;
744 /* Copy across names and sids */
746 for (i = 0; i < r.sids.num_entries; i++) {
747 sid_copy(&(*sids)[i], &r.sids.sid[i].sid);
750 *num_sids= r.sids.num_entries;
751 *enum_ctx = r.enum_context;
758 /** Create a LSA user handle
760 * @param cli Handle on an initialised SMB connection
762 * FIXME: The code is actually identical to open account
763 * TODO: Check and code what the function should exactly do
767 NTSTATUS rpccli_lsa_create_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
768 POLICY_HND *dom_pol, DOM_SID *sid, uint32 desired_access,
769 POLICY_HND *user_pol)
771 prs_struct qbuf, rbuf;
772 LSA_Q_CREATEACCOUNT q;
773 LSA_R_CREATEACCOUNT r;
779 /* Initialise input parameters */
781 init_lsa_q_create_account(&q, dom_pol, sid, desired_access);
783 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_CREATEACCOUNT,
786 lsa_io_q_create_account,
787 lsa_io_r_create_account,
788 NT_STATUS_UNSUCCESSFUL);
790 /* Return output parameters */
792 if (NT_STATUS_IS_OK(result = r.status)) {
799 /** Open a LSA user handle
801 * @param cli Handle on an initialised SMB connection */
803 NTSTATUS rpccli_lsa_open_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
804 POLICY_HND *dom_pol, DOM_SID *sid, uint32 des_access,
805 POLICY_HND *user_pol)
807 prs_struct qbuf, rbuf;
815 /* Initialise input parameters */
817 init_lsa_q_open_account(&q, dom_pol, sid, des_access);
819 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENACCOUNT,
822 lsa_io_q_open_account,
823 lsa_io_r_open_account,
824 NT_STATUS_UNSUCCESSFUL);
826 /* Return output parameters */
828 if (NT_STATUS_IS_OK(result = r.status)) {
835 /** Enumerate user privileges
837 * @param cli Handle on an initialised SMB connection */
839 NTSTATUS rpccli_lsa_enum_privsaccount(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
840 POLICY_HND *pol, uint32 *count, LUID_ATTR **set)
842 prs_struct qbuf, rbuf;
843 LSA_Q_ENUMPRIVSACCOUNT q;
844 LSA_R_ENUMPRIVSACCOUNT r;
851 /* Initialise input parameters */
853 init_lsa_q_enum_privsaccount(&q, pol);
855 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMPRIVSACCOUNT,
858 lsa_io_q_enum_privsaccount,
859 lsa_io_r_enum_privsaccount,
860 NT_STATUS_UNSUCCESSFUL);
862 /* Return output parameters */
864 if (!NT_STATUS_IS_OK(result = r.status)) {
871 if (!((*set = TALLOC_ARRAY(mem_ctx, LUID_ATTR, r.count)))) {
872 DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
873 result = NT_STATUS_UNSUCCESSFUL;
877 for (i=0; i<r.count; i++) {
878 (*set)[i].luid.low = r.set.set[i].luid.low;
879 (*set)[i].luid.high = r.set.set[i].luid.high;
880 (*set)[i].attr = r.set.set[i].attr;
889 /** Get a privilege value given its name */
891 NTSTATUS rpccli_lsa_lookup_priv_value(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
892 POLICY_HND *pol, const char *name, LUID *luid)
894 prs_struct qbuf, rbuf;
895 LSA_Q_LOOKUP_PRIV_VALUE q;
896 LSA_R_LOOKUP_PRIV_VALUE r;
902 /* Marshall data and send request */
904 init_lsa_q_lookup_priv_value(&q, pol, name);
906 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPPRIVVALUE,
909 lsa_io_q_lookup_priv_value,
910 lsa_io_r_lookup_priv_value,
911 NT_STATUS_UNSUCCESSFUL);
913 if (!NT_STATUS_IS_OK(result = r.status)) {
917 /* Return output parameters */
919 (*luid).low=r.luid.low;
920 (*luid).high=r.luid.high;
927 /** Query LSA security object */
929 NTSTATUS rpccli_lsa_query_secobj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
930 POLICY_HND *pol, uint32 sec_info,
933 prs_struct qbuf, rbuf;
934 LSA_Q_QUERY_SEC_OBJ q;
935 LSA_R_QUERY_SEC_OBJ r;
941 /* Marshall data and send request */
943 init_q_query_sec_obj(&q, pol, sec_info);
945 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYSECOBJ,
948 lsa_io_q_query_sec_obj,
949 lsa_io_r_query_sec_obj,
950 NT_STATUS_UNSUCCESSFUL);
952 if (!NT_STATUS_IS_OK(result = r.status)) {
956 /* Return output parameters */
967 /* Enumerate account rights This is similar to enum_privileges but
968 takes a SID directly, avoiding the open_account call.
971 NTSTATUS rpccli_lsa_enum_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
972 POLICY_HND *pol, DOM_SID *sid,
973 uint32 *count, char ***priv_names)
975 prs_struct qbuf, rbuf;
976 LSA_Q_ENUM_ACCT_RIGHTS q;
977 LSA_R_ENUM_ACCT_RIGHTS r;
986 /* Marshall data and send request */
987 init_q_enum_acct_rights(&q, pol, 2, sid);
989 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMACCTRIGHTS,
992 lsa_io_q_enum_acct_rights,
993 lsa_io_r_enum_acct_rights,
994 NT_STATUS_UNSUCCESSFUL);
996 if (!NT_STATUS_IS_OK(result = r.status)) {
1006 privileges = TALLOC_ARRAY( mem_ctx, fstring, *count );
1007 names = TALLOC_ARRAY( mem_ctx, char *, *count );
1009 for ( i=0; i<*count; i++ ) {
1010 UNISTR4 *uni_string = &r.rights->strings[i];
1012 if ( !uni_string->string )
1015 rpcstr_pull( privileges[i], uni_string->string->buffer, sizeof(privileges[i]), -1, STR_TERMINATE );
1017 /* now copy to the return array */
1018 names[i] = talloc_strdup( mem_ctx, privileges[i] );
1021 *priv_names = names;
1030 /* add account rights to an account. */
1032 NTSTATUS rpccli_lsa_add_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1033 POLICY_HND *pol, DOM_SID sid,
1034 uint32 count, const char **privs_name)
1036 prs_struct qbuf, rbuf;
1037 LSA_Q_ADD_ACCT_RIGHTS q;
1038 LSA_R_ADD_ACCT_RIGHTS r;
1044 /* Marshall data and send request */
1045 init_q_add_acct_rights(&q, pol, &sid, count, privs_name);
1047 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ADDACCTRIGHTS,
1050 lsa_io_q_add_acct_rights,
1051 lsa_io_r_add_acct_rights,
1052 NT_STATUS_UNSUCCESSFUL);
1054 if (!NT_STATUS_IS_OK(result = r.status)) {
1063 /* remove account rights for an account. */
1065 NTSTATUS rpccli_lsa_remove_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1066 POLICY_HND *pol, DOM_SID sid, BOOL removeall,
1067 uint32 count, const char **privs_name)
1069 prs_struct qbuf, rbuf;
1070 LSA_Q_REMOVE_ACCT_RIGHTS q;
1071 LSA_R_REMOVE_ACCT_RIGHTS r;
1077 /* Marshall data and send request */
1078 init_q_remove_acct_rights(&q, pol, &sid, removeall?1:0, count, privs_name);
1080 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_REMOVEACCTRIGHTS,
1083 lsa_io_q_remove_acct_rights,
1084 lsa_io_r_remove_acct_rights,
1085 NT_STATUS_UNSUCCESSFUL);
1087 if (!NT_STATUS_IS_OK(result = r.status)) {
1098 /** An example of how to use the routines in this file. Fetch a DOMAIN
1099 sid. Does complete cli setup / teardown anonymously. */
1101 BOOL fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
1103 extern pstring global_myname;
1104 struct cli_state cli;
1110 if(cli_initialise(&cli) == False) {
1111 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
1115 if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
1116 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
1120 if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
1121 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
1122 machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1126 if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) {
1127 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
1132 cli.protocol = PROTOCOL_NT1;
1134 if (!cli_negprot(&cli)) {
1135 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
1136 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1140 if (cli.protocol != PROTOCOL_NT1) {
1141 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
1147 * Do an anonymous session setup.
1150 if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
1151 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
1152 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1156 if (!(cli.sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
1157 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
1162 if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
1163 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
1164 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1168 /* Fetch domain sid */
1170 if (!cli_nt_session_open(&cli, PI_LSARPC)) {
1171 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
1175 result = cli_lsa_open_policy(&cli, cli.mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
1176 if (!NT_STATUS_IS_OK(result)) {
1177 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
1178 nt_errstr(result) ));
1182 result = cli_lsa_query_info_policy(&cli, cli.mem_ctx, &lsa_pol, 5, domain, psid);
1183 if (!NT_STATUS_IS_OK(result)) {
1184 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
1185 nt_errstr(result) ));
1199 NTSTATUS rpccli_lsa_open_trusted_domain(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1200 POLICY_HND *pol, DOM_SID *dom_sid, uint32 access_mask,
1201 POLICY_HND *trustdom_pol)
1203 prs_struct qbuf, rbuf;
1204 LSA_Q_OPEN_TRUSTED_DOMAIN q;
1205 LSA_R_OPEN_TRUSTED_DOMAIN r;
1211 /* Initialise input parameters */
1213 init_lsa_q_open_trusted_domain(&q, pol, dom_sid, access_mask);
1215 /* Marshall data and send request */
1217 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOM,
1220 lsa_io_q_open_trusted_domain,
1221 lsa_io_r_open_trusted_domain,
1222 NT_STATUS_UNSUCCESSFUL);
1224 /* Return output parameters */
1226 if (NT_STATUS_IS_OK(result = r.status)) {
1227 *trustdom_pol = r.handle;
1233 NTSTATUS rpccli_lsa_query_trusted_domain_info(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1235 uint16 info_class, DOM_SID *dom_sid,
1236 LSA_TRUSTED_DOMAIN_INFO **info)
1238 prs_struct qbuf, rbuf;
1239 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO q;
1240 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1241 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1246 /* Marshall data and send request */
1248 init_q_query_trusted_domain_info(&q, pol, info_class);
1250 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFO,
1253 lsa_io_q_query_trusted_domain_info,
1254 lsa_io_r_query_trusted_domain_info,
1255 NT_STATUS_UNSUCCESSFUL);
1257 if (!NT_STATUS_IS_OK(result = r.status)) {
1268 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_sid(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1270 uint16 info_class, DOM_SID *dom_sid,
1271 LSA_TRUSTED_DOMAIN_INFO **info)
1273 prs_struct qbuf, rbuf;
1274 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_SID q;
1275 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1276 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1281 /* Marshall data and send request */
1283 init_q_query_trusted_domain_info_by_sid(&q, pol, info_class, dom_sid);
1285 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYSID,
1288 lsa_io_q_query_trusted_domain_info_by_sid,
1289 lsa_io_r_query_trusted_domain_info,
1290 NT_STATUS_UNSUCCESSFUL);
1292 if (!NT_STATUS_IS_OK(result = r.status)) {
1303 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1305 uint16 info_class, const char *domain_name,
1306 LSA_TRUSTED_DOMAIN_INFO **info)
1308 prs_struct qbuf, rbuf;
1309 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_NAME q;
1310 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1311 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1316 /* Marshall data and send request */
1318 init_q_query_trusted_domain_info_by_name(&q, pol, info_class, domain_name);
1320 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYNAME,
1323 lsa_io_q_query_trusted_domain_info_by_name,
1324 lsa_io_r_query_trusted_domain_info,
1325 NT_STATUS_UNSUCCESSFUL);
1327 if (!NT_STATUS_IS_OK(result = r.status)) {