*/
#include "includes.h"
+#include "../librpc/gen_ndr/cli_lsa.h"
+#include "rpc_client/cli_lsarpc.h"
+#include "rpc_client/init_lsa.h"
+#include "../libcli/security/security.h"
/** @defgroup lsa LSA - Local Security Architecture
* @ingroup rpc_client
NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
bool sec_qos, uint32 des_access,
- POLICY_HND *pol)
+ struct policy_handle *pol)
{
struct lsa_ObjectAttribute attr;
struct lsa_QosInfo qos;
uint16_t system_name = '\\';
+ ZERO_STRUCT(attr);
+
+ attr.len = 0x18;
+
if (sec_qos) {
- init_lsa_sec_qos(&qos, 0xc, 2, 1, 0);
- init_lsa_obj_attr(&attr,
- 0x18,
- NULL,
- NULL,
- 0,
- NULL,
- &qos);
- } else {
- init_lsa_obj_attr(&attr,
- 0x18,
- NULL,
- NULL,
- 0,
- NULL,
- NULL);
+ qos.len = 0xc;
+ qos.impersonation_level = 2;
+ qos.context_mode = 1;
+ qos.effective_only = 0;
+
+ attr.sec_qos = &qos;
}
return rpccli_lsa_OpenPolicy(cli, mem_ctx,
NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, bool sec_qos,
- uint32 des_access, POLICY_HND *pol)
+ uint32 des_access, struct policy_handle *pol)
{
struct lsa_ObjectAttribute attr;
struct lsa_QosInfo qos;
+ ZERO_STRUCT(attr);
+
+ attr.len = 0x18;
+
if (sec_qos) {
- init_lsa_sec_qos(&qos, 0xc, 2, 1, 0);
- init_lsa_obj_attr(&attr,
- 0x18,
- NULL,
- NULL,
- 0,
- NULL,
- &qos);
- } else {
- init_lsa_obj_attr(&attr,
- 0x18,
- NULL,
- NULL,
- 0,
- NULL,
- NULL);
+ qos.len = 0xc;
+ qos.impersonation_level = 2;
+ qos.context_mode = 1;
+ qos.effective_only = 0;
+
+ attr.sec_qos = &qos;
}
return rpccli_lsa_OpenPolicy2(cli, mem_ctx,
static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
- POLICY_HND *pol,
+ struct policy_handle *pol,
int num_sids,
- const DOM_SID *sids,
+ const struct dom_sid *sids,
char **domains,
char **names,
- enum lsa_SidType *types)
+ enum lsa_SidType *types,
+ bool use_lookupsids3)
{
NTSTATUS result = NT_STATUS_OK;
TALLOC_CTX *tmp_ctx = NULL;
}
for (i = 0; i<num_sids; i++) {
- sid_array.sids[i].sid = sid_dup_talloc(mem_ctx, &sids[i]);
+ sid_array.sids[i].sid = dom_sid_dup(mem_ctx, &sids[i]);
if (!sid_array.sids[i].sid) {
return NT_STATUS_NO_MEMORY;
}
}
- result = rpccli_lsa_LookupSids(cli, mem_ctx,
- pol,
- &sid_array,
- &ref_domains,
- &lsa_names,
- level,
- &count);
+ if (use_lookupsids3) {
+ struct lsa_TransNameArray2 lsa_names2;
+ uint32_t n;
+
+ ZERO_STRUCT(lsa_names2);
+
+ result = rpccli_lsa_LookupSids3(cli, mem_ctx,
+ &sid_array,
+ &ref_domains,
+ &lsa_names2,
+ level,
+ &count,
+ 0,
+ 0);
+
+ if (!NT_STATUS_IS_ERR(result)) {
+ lsa_names.count = lsa_names2.count;
+ lsa_names.names = talloc_array(mem_ctx, struct lsa_TranslatedName, lsa_names.count);
+ if (!lsa_names.names) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ for (n=0; n < lsa_names.count; n++) {
+ lsa_names.names[n].sid_type = lsa_names2.names[n].sid_type;
+ lsa_names.names[n].name = lsa_names2.names[n].name;
+ lsa_names.names[n].sid_index = lsa_names2.names[n].sid_index;
+ }
+ }
+
+ } else {
+ result = rpccli_lsa_LookupSids(cli, mem_ctx,
+ pol,
+ &sid_array,
+ &ref_domains,
+ &lsa_names,
+ level,
+ &count);
+ }
DEBUG(10, ("LSA_LOOKUPSIDS returned '%s', mapped count = %d'\n",
nt_errstr(result), count));
name = lsa_names.names[i].name.string;
if (name) {
- (names)[i] = talloc_strdup(mem_ctx, name);
+ (names)[i] = talloc_strdup(names, name);
if ((names)[i] == NULL) {
DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
result = NT_STATUS_UNSUCCESSFUL;
} else {
(names)[i] = NULL;
}
- (domains)[i] = talloc_strdup(mem_ctx, dom_name);
+ domains[i] = talloc_strdup(domains,
+ dom_name ? dom_name : "");
(types)[i] = lsa_names.names[i].sid_type;
if (((domains)[i] == NULL)) {
DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
* at 20480 for win2k3, but we keep it at a save 1000 for now. */
#define LOOKUP_SIDS_HUNK_SIZE 1000
-NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx,
- POLICY_HND *pol,
- int num_sids,
- const DOM_SID *sids,
- char ***pdomains,
- char ***pnames,
- enum lsa_SidType **ptypes)
+static NTSTATUS rpccli_lsa_lookup_sids_generic(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ struct policy_handle *pol,
+ int num_sids,
+ const struct dom_sid *sids,
+ char ***pdomains,
+ char ***pnames,
+ enum lsa_SidType **ptypes,
+ bool use_lookupsids3)
{
NTSTATUS result = NT_STATUS_OK;
int sids_left = 0;
int sids_processed = 0;
- const DOM_SID *hunk_sids = sids;
+ const struct dom_sid *hunk_sids = sids;
char **hunk_domains;
char **hunk_names;
enum lsa_SidType *hunk_types;
hunk_sids,
hunk_domains,
hunk_names,
- hunk_types);
+ hunk_types,
+ use_lookupsids3);
if (!NT_STATUS_IS_OK(hunk_result) &&
!NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) &&
return result;
}
-/** Lookup a list of names */
+NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ struct policy_handle *pol,
+ int num_sids,
+ const struct dom_sid *sids,
+ char ***pdomains,
+ char ***pnames,
+ enum lsa_SidType **ptypes)
+{
+ return rpccli_lsa_lookup_sids_generic(cli, mem_ctx, pol, num_sids, sids,
+ pdomains, pnames, ptypes, false);
+}
-NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
+NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
- POLICY_HND *pol, int num_names,
- const char **names,
- const char ***dom_names,
- int level,
- DOM_SID **sids,
- enum lsa_SidType **types)
+ struct policy_handle *pol,
+ int num_sids,
+ const struct dom_sid *sids,
+ char ***pdomains,
+ char ***pnames,
+ enum lsa_SidType **ptypes)
+{
+ return rpccli_lsa_lookup_sids_generic(cli, mem_ctx, pol, num_sids, sids,
+ pdomains, pnames, ptypes, true);
+}
+
+/** Lookup a list of names */
+
+static NTSTATUS rpccli_lsa_lookup_names_generic(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ struct policy_handle *pol, int num_names,
+ const char **names,
+ const char ***dom_names,
+ int level,
+ struct dom_sid **sids,
+ enum lsa_SidType **types,
+ bool use_lookupnames4)
{
NTSTATUS result;
int i;
struct lsa_String *lsa_names = NULL;
struct lsa_RefDomainList *domains = NULL;
struct lsa_TransSidArray sid_array;
+ struct lsa_TransSidArray3 sid_array3;
uint32_t count = 0;
ZERO_STRUCT(sid_array);
+ ZERO_STRUCT(sid_array3);
lsa_names = TALLOC_ARRAY(mem_ctx, struct lsa_String, num_names);
if (!lsa_names) {
init_lsa_String(&lsa_names[i], names[i]);
}
- result = rpccli_lsa_LookupNames(cli, mem_ctx,
- pol,
- num_names,
- lsa_names,
- &domains,
- &sid_array,
- level,
- &count);
+ if (use_lookupnames4) {
+ result = rpccli_lsa_LookupNames4(cli, mem_ctx,
+ num_names,
+ lsa_names,
+ &domains,
+ &sid_array3,
+ level,
+ &count,
+ 0,
+ 0);
+ } else {
+ result = rpccli_lsa_LookupNames(cli, mem_ctx,
+ pol,
+ num_names,
+ lsa_names,
+ &domains,
+ &sid_array,
+ level,
+ &count);
+ }
if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
}
if (num_names) {
- if (!((*sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_names)))) {
+ if (!((*sids = TALLOC_ARRAY(mem_ctx, struct dom_sid, num_names)))) {
DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
for (i = 0; i < num_names; i++) {
- uint32_t dom_idx = sid_array.sids[i].sid_index;
- uint32_t dom_rid = sid_array.sids[i].rid;
- DOM_SID *sid = &(*sids)[i];
+ uint32_t dom_idx;
+ struct dom_sid *sid = &(*sids)[i];
+
+ if (use_lookupnames4) {
+ dom_idx = sid_array3.sids[i].sid_index;
+ (*types)[i] = sid_array3.sids[i].sid_type;
+ } else {
+ dom_idx = sid_array.sids[i].sid_index;
+ (*types)[i] = sid_array.sids[i].sid_type;
+ }
/* Translate optimised sid through domain index array */
continue;
}
- sid_copy(sid, domains->domains[dom_idx].sid);
+ if (use_lookupnames4) {
+ sid_copy(sid, sid_array3.sids[i].sid);
+ } else {
+ sid_copy(sid, domains->domains[dom_idx].sid);
- if (dom_rid != 0xffffffff) {
- sid_append_rid(sid, dom_rid);
+ if (sid_array.sids[i].rid != 0xffffffff) {
+ sid_append_rid(sid, sid_array.sids[i].rid);
+ }
}
- (*types)[i] = sid_array.sids[i].sid_type;
-
if (dom_names == NULL) {
continue;
}
return result;
}
-#if 0
-
-/** An example of how to use the routines in this file. Fetch a DOMAIN
- sid. Does complete cli setup / teardown anonymously. */
-
-bool fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
+NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ struct policy_handle *pol, int num_names,
+ const char **names,
+ const char ***dom_names,
+ int level,
+ struct dom_sid **sids,
+ enum lsa_SidType **types)
{
- struct cli_state cli;
- NTSTATUS result;
- POLICY_HND lsa_pol;
- bool ret = False;
-
- ZERO_STRUCT(cli);
- if(cli_initialise(&cli) == False) {
- DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
- return False;
- }
-
- if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
- DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
- goto done;
- }
-
- if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
- DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
-machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- goto done;
- }
-
- if (!attempt_netbios_session_request(&cli, global_myname(), remote_machine, &cli.dest_ip)) {
- DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
- remote_machine));
- goto done;
- }
-
- cli.protocol = PROTOCOL_NT1;
-
- if (!cli_negprot(&cli)) {
- DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- goto done;
- }
-
- if (cli.protocol != PROTOCOL_NT1) {
- DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
- remote_machine));
- goto done;
- }
-
- /*
- * Do an anonymous session setup.
- */
-
- if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
- DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- goto done;
- }
-
- if (!(cli.sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
- DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
- remote_machine));
- goto done;
- }
-
- if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
- DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- goto done;
- }
-
- /* Fetch domain sid */
-
- if (!cli_nt_session_open(&cli, PI_LSARPC)) {
- DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
- goto done;
- }
-
- result = cli_lsa_open_policy(&cli, cli.mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
- nt_errstr(result) ));
- goto done;
- }
-
- result = cli_lsa_query_info_policy(&cli, cli.mem_ctx, &lsa_pol, 5, domain, psid);
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
- nt_errstr(result) ));
- goto done;
- }
-
- ret = True;
-
- done:
-
- cli_shutdown(&cli);
- return ret;
+ return rpccli_lsa_lookup_names_generic(cli, mem_ctx, pol, num_names,
+ names, dom_names, level, sids,
+ types, false);
}
-#endif
+NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ struct policy_handle *pol, int num_names,
+ const char **names,
+ const char ***dom_names,
+ int level,
+ struct dom_sid **sids,
+ enum lsa_SidType **types)
+{
+ return rpccli_lsa_lookup_names_generic(cli, mem_ctx, pol, num_names,
+ names, dom_names, level, sids,
+ types, true);
+}