2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /** @defgroup lsa LSA - Local Security Architecture
35 * RPC client routines for the LSA RPC pipe. LSA means "local
36 * security authority", which is half of a password database.
39 /** Open a LSA policy handle
41 * @param cli Handle on an initialised SMB connection */
43 NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
45 BOOL sec_qos, uint32 des_access,
48 prs_struct qbuf, rbuf;
57 /* Initialise input parameters */
60 init_lsa_sec_qos(&qos, 2, 1, 0);
61 init_q_open_pol(&q, '\\', 0, des_access, &qos);
63 init_q_open_pol(&q, '\\', 0, des_access, NULL);
66 /* Marshall data and send request */
68 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY,
73 NT_STATUS_UNSUCCESSFUL );
75 /* Return output parameters */
79 if (NT_STATUS_IS_OK(result)) {
82 pol->marker = MALLOC(1);
89 /** Open a LSA policy handle
91 * @param cli Handle on an initialised SMB connection
94 NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
95 TALLOC_CTX *mem_ctx, BOOL sec_qos,
96 uint32 des_access, POLICY_HND *pol)
98 prs_struct qbuf, rbuf;
103 char *srv_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", cli->cli->desthost);
109 init_lsa_sec_qos(&qos, 2, 1, 0);
110 init_q_open_pol2(&q, srv_name_slash, 0, des_access, &qos);
112 init_q_open_pol2(&q, srv_name_slash, 0, des_access, NULL);
115 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY2,
120 NT_STATUS_UNSUCCESSFUL );
122 /* Return output parameters */
126 if (NT_STATUS_IS_OK(result)) {
129 pol->marker = (char *)malloc(1);
136 /** Close a LSA policy handle */
138 NTSTATUS rpccli_lsa_close(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
141 prs_struct qbuf, rbuf;
149 init_lsa_q_close(&q, pol);
151 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_CLOSE,
156 NT_STATUS_UNSUCCESSFUL );
158 /* Return output parameters */
162 if (NT_STATUS_IS_OK(result)) {
164 SAFE_FREE(pol->marker);
172 /** Lookup a list of sids */
174 NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
176 POLICY_HND *pol, int num_sids,
178 char ***domains, char ***names, uint32 **types)
180 prs_struct qbuf, rbuf;
184 LSA_TRANS_NAME_ENUM t_names;
185 NTSTATUS result = NT_STATUS_OK;
191 init_q_lookup_sids(mem_ctx, &q, pol, num_sids, sids, 1);
194 ZERO_STRUCT(t_names);
199 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPSIDS,
202 lsa_io_q_lookup_sids,
203 lsa_io_r_lookup_sids,
204 NT_STATUS_UNSUCCESSFUL );
206 if (!NT_STATUS_IS_OK(r.status) &&
207 NT_STATUS_V(r.status) != NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
209 /* An actual error occured */
215 /* Return output parameters */
217 if (r.mapped_count == 0) {
218 result = NT_STATUS_NONE_MAPPED;
222 if (!((*domains) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
223 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
224 result = NT_STATUS_NO_MEMORY;
228 if (!((*names) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
229 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
230 result = NT_STATUS_NO_MEMORY;
234 if (!((*types) = TALLOC_ARRAY(mem_ctx, uint32, num_sids))) {
235 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
236 result = NT_STATUS_NO_MEMORY;
240 for (i = 0; i < num_sids; i++) {
241 fstring name, dom_name;
242 uint32 dom_idx = t_names.name[i].domain_idx;
244 /* Translate optimised name through domain index array */
246 if (dom_idx != 0xffffffff) {
248 rpcstr_pull_unistr2_fstring(
249 dom_name, &ref.ref_dom[dom_idx].uni_dom_name);
250 rpcstr_pull_unistr2_fstring(
251 name, &t_names.uni_name[i]);
253 (*names)[i] = talloc_strdup(mem_ctx, name);
254 (*domains)[i] = talloc_strdup(mem_ctx, dom_name);
255 (*types)[i] = t_names.name[i].sid_name_use;
257 if (((*names)[i] == NULL) || ((*domains)[i] == NULL)) {
258 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
259 result = NT_STATUS_UNSUCCESSFUL;
265 (*domains)[i] = NULL;
266 (*types)[i] = SID_NAME_UNKNOWN;
275 /** Lookup a list of names */
277 NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
279 POLICY_HND *pol, int num_names,
281 const char ***dom_names,
285 prs_struct qbuf, rbuf;
286 LSA_Q_LOOKUP_NAMES q;
287 LSA_R_LOOKUP_NAMES r;
298 init_q_lookup_names(mem_ctx, &q, pol, num_names, names);
300 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPNAMES,
303 lsa_io_q_lookup_names,
304 lsa_io_r_lookup_names,
305 NT_STATUS_UNSUCCESSFUL);
309 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
310 NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
312 /* An actual error occured */
317 /* Return output parameters */
319 if (r.mapped_count == 0) {
320 result = NT_STATUS_NONE_MAPPED;
324 if (!((*sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_names)))) {
325 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
326 result = NT_STATUS_NO_MEMORY;
330 if (!((*types = TALLOC_ARRAY(mem_ctx, uint32, num_names)))) {
331 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
332 result = NT_STATUS_NO_MEMORY;
336 if (dom_names != NULL) {
337 *dom_names = TALLOC_ARRAY(mem_ctx, const char *, num_names);
338 if (*dom_names == NULL) {
339 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
340 result = NT_STATUS_NO_MEMORY;
345 for (i = 0; i < num_names; i++) {
346 DOM_RID *t_rids = r.dom_rid;
347 uint32 dom_idx = t_rids[i].rid_idx;
348 uint32 dom_rid = t_rids[i].rid;
349 DOM_SID *sid = &(*sids)[i];
351 /* Translate optimised sid through domain index array */
353 if (dom_idx == 0xffffffff) {
354 /* Nothing to do, this is unknown */
356 (*types)[i] = SID_NAME_UNKNOWN;
360 sid_copy(sid, &ref.ref_dom[dom_idx].ref_dom.sid);
362 if (dom_rid != 0xffffffff) {
363 sid_append_rid(sid, dom_rid);
366 (*types)[i] = t_rids[i].type;
368 if (dom_names == NULL) {
372 (*dom_names)[i] = rpcstr_pull_unistr2_talloc(
373 *dom_names, &ref.ref_dom[dom_idx].uni_dom_name);
381 /** Query info policy
383 * @param domain_sid - returned remote server's domain sid */
385 NTSTATUS rpccli_lsa_query_info_policy(struct rpc_pipe_client *cli,
387 POLICY_HND *pol, uint16 info_class,
388 char **domain_name, DOM_SID **domain_sid)
390 prs_struct qbuf, rbuf;
398 init_q_query(&q, pol, info_class);
400 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
405 NT_STATUS_UNSUCCESSFUL);
409 if (!NT_STATUS_IS_OK(result)) {
413 /* Return output parameters */
415 switch (info_class) {
418 if (domain_name && (r.dom.id3.buffer_dom_name != 0)) {
419 *domain_name = unistr2_tdup(mem_ctx,
423 return NT_STATUS_NO_MEMORY;
427 if (domain_sid && (r.dom.id3.buffer_dom_sid != 0)) {
428 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
430 return NT_STATUS_NO_MEMORY;
432 sid_copy(*domain_sid, &r.dom.id3.dom_sid.sid);
439 if (domain_name && (r.dom.id5.buffer_dom_name != 0)) {
440 *domain_name = unistr2_tdup(mem_ctx,
444 return NT_STATUS_NO_MEMORY;
448 if (domain_sid && (r.dom.id5.buffer_dom_sid != 0)) {
449 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
451 return NT_STATUS_NO_MEMORY;
453 sid_copy(*domain_sid, &r.dom.id5.dom_sid.sid);
458 DEBUG(3, ("unknown info class %d\n", info_class));
467 /** Query info policy2
469 * @param domain_name - returned remote server's domain name
470 * @param dns_name - returned remote server's dns domain name
471 * @param forest_name - returned remote server's forest name
472 * @param domain_guid - returned remote server's domain guid
473 * @param domain_sid - returned remote server's domain sid */
475 NTSTATUS rpccli_lsa_query_info_policy2(struct rpc_pipe_client *cli,
477 POLICY_HND *pol, uint16 info_class,
478 char **domain_name, char **dns_name,
480 struct uuid **domain_guid,
481 DOM_SID **domain_sid)
483 prs_struct qbuf, rbuf;
486 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
488 if (info_class != 12)
494 init_q_query2(&q, pol, info_class);
496 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
499 lsa_io_q_query_info2,
500 lsa_io_r_query_info2,
501 NT_STATUS_UNSUCCESSFUL);
505 if (!NT_STATUS_IS_OK(result)) {
509 /* Return output parameters */
511 ZERO_STRUCTP(domain_guid);
513 if (domain_name && r.info.dns_dom_info.hdr_nb_dom_name.buffer) {
514 *domain_name = unistr2_tdup(mem_ctx,
518 return NT_STATUS_NO_MEMORY;
521 if (dns_name && r.info.dns_dom_info.hdr_dns_dom_name.buffer) {
522 *dns_name = unistr2_tdup(mem_ctx,
526 return NT_STATUS_NO_MEMORY;
529 if (forest_name && r.info.dns_dom_info.hdr_forest_name.buffer) {
530 *forest_name = unistr2_tdup(mem_ctx,
534 return NT_STATUS_NO_MEMORY;
539 *domain_guid = TALLOC_P(mem_ctx, struct uuid);
541 return NT_STATUS_NO_MEMORY;
544 &r.info.dns_dom_info.dom_guid,
545 sizeof(struct uuid));
548 if (domain_sid && r.info.dns_dom_info.ptr_dom_sid != 0) {
549 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
551 return NT_STATUS_NO_MEMORY;
553 sid_copy(*domain_sid,
554 &r.info.dns_dom_info.dom_sid.sid);
563 * Enumerate list of trusted domains
565 * @param cli client state (cli_state) structure of the connection
566 * @param mem_ctx memory context
567 * @param pol opened lsa policy handle
568 * @param enum_ctx enumeration context ie. index of first returned domain entry
569 * @param pref_num_domains preferred max number of entries returned in one response
570 * @param num_domains total number of trusted domains returned by response
571 * @param domain_names returned trusted domain names
572 * @param domain_sids returned trusted domain sids
574 * @return nt status code of response
577 NTSTATUS rpccli_lsa_enum_trust_dom(struct rpc_pipe_client *cli,
579 POLICY_HND *pol, uint32 *enum_ctx,
581 char ***domain_names, DOM_SID **domain_sids)
583 prs_struct qbuf, rbuf;
584 LSA_Q_ENUM_TRUST_DOM in;
585 LSA_R_ENUM_TRUST_DOM out;
592 /* 64k is enough for about 2000 trusted domains */
594 init_q_enum_trust_dom(&in, pol, *enum_ctx, 0x10000);
596 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMTRUSTDOM,
599 lsa_io_q_enum_trust_dom,
600 lsa_io_r_enum_trust_dom,
601 NT_STATUS_UNSUCCESSFUL );
604 /* check for an actual error */
606 if ( !NT_STATUS_IS_OK(out.status)
607 && !NT_STATUS_EQUAL(out.status, NT_STATUS_NO_MORE_ENTRIES)
608 && !NT_STATUS_EQUAL(out.status, STATUS_MORE_ENTRIES) )
613 /* Return output parameters */
615 *num_domains = out.count;
616 *enum_ctx = out.enum_context;
620 /* Allocate memory for trusted domain names and sids */
622 if ( !(*domain_names = TALLOC_ARRAY(mem_ctx, char *, out.count)) ) {
623 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
624 return NT_STATUS_NO_MEMORY;
627 if ( !(*domain_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, out.count)) ) {
628 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
629 return NT_STATUS_NO_MEMORY;
632 /* Copy across names and sids */
634 for (i = 0; i < out.count; i++) {
636 rpcstr_pull( tmp, out.domlist->domains[i].name.string->buffer,
637 sizeof(tmp), out.domlist->domains[i].name.length, 0);
638 (*domain_names)[i] = talloc_strdup(mem_ctx, tmp);
640 sid_copy(&(*domain_sids)[i], &out.domlist->domains[i].sid->sid );
647 /** Enumerate privileges*/
649 NTSTATUS rpccli_lsa_enum_privilege(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
650 POLICY_HND *pol, uint32 *enum_context, uint32 pref_max_length,
651 uint32 *count, char ***privs_name, uint32 **privs_high, uint32 **privs_low)
653 prs_struct qbuf, rbuf;
662 init_q_enum_privs(&q, pol, *enum_context, pref_max_length);
664 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_PRIVS,
669 NT_STATUS_UNSUCCESSFUL);
673 if (!NT_STATUS_IS_OK(result)) {
677 /* Return output parameters */
679 *enum_context = r.enum_context;
682 if (!((*privs_name = TALLOC_ARRAY(mem_ctx, char *, r.count)))) {
683 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
684 result = NT_STATUS_UNSUCCESSFUL;
688 if (!((*privs_high = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
689 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
690 result = NT_STATUS_UNSUCCESSFUL;
694 if (!((*privs_low = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
695 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
696 result = NT_STATUS_UNSUCCESSFUL;
700 for (i = 0; i < r.count; i++) {
703 rpcstr_pull_unistr2_fstring( name, &r.privs[i].name);
705 (*privs_name)[i] = talloc_strdup(mem_ctx, name);
707 (*privs_high)[i] = r.privs[i].luid_high;
708 (*privs_low)[i] = r.privs[i].luid_low;
716 /** Get privilege name */
718 NTSTATUS rpccli_lsa_get_dispname(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
719 POLICY_HND *pol, const char *name,
720 uint16 lang_id, uint16 lang_id_sys,
721 fstring description, uint16 *lang_id_desc)
723 prs_struct qbuf, rbuf;
724 LSA_Q_PRIV_GET_DISPNAME q;
725 LSA_R_PRIV_GET_DISPNAME r;
731 init_lsa_priv_get_dispname(&q, pol, name, lang_id, lang_id_sys);
733 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_PRIV_GET_DISPNAME,
736 lsa_io_q_priv_get_dispname,
737 lsa_io_r_priv_get_dispname,
738 NT_STATUS_UNSUCCESSFUL);
742 if (!NT_STATUS_IS_OK(result)) {
746 /* Return output parameters */
748 rpcstr_pull_unistr2_fstring(description , &r.desc);
749 *lang_id_desc = r.lang_id;
756 /** Enumerate list of SIDs */
758 NTSTATUS rpccli_lsa_enum_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
759 POLICY_HND *pol, uint32 *enum_ctx, uint32 pref_max_length,
760 uint32 *num_sids, DOM_SID **sids)
762 prs_struct qbuf, rbuf;
763 LSA_Q_ENUM_ACCOUNTS q;
764 LSA_R_ENUM_ACCOUNTS r;
771 init_lsa_q_enum_accounts(&q, pol, *enum_ctx, pref_max_length);
773 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_ACCOUNTS,
776 lsa_io_q_enum_accounts,
777 lsa_io_r_enum_accounts,
778 NT_STATUS_UNSUCCESSFUL);
782 if (!NT_STATUS_IS_OK(result)) {
786 if (r.sids.num_entries==0)
789 /* Return output parameters */
791 *sids = TALLOC_ARRAY(mem_ctx, DOM_SID, r.sids.num_entries);
793 DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
794 result = NT_STATUS_UNSUCCESSFUL;
798 /* Copy across names and sids */
800 for (i = 0; i < r.sids.num_entries; i++) {
801 sid_copy(&(*sids)[i], &r.sids.sid[i].sid);
804 *num_sids= r.sids.num_entries;
805 *enum_ctx = r.enum_context;
812 /** Create a LSA user handle
814 * @param cli Handle on an initialised SMB connection
816 * FIXME: The code is actually identical to open account
817 * TODO: Check and code what the function should exactly do
821 NTSTATUS rpccli_lsa_create_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
822 POLICY_HND *dom_pol, DOM_SID *sid, uint32 desired_access,
823 POLICY_HND *user_pol)
825 prs_struct qbuf, rbuf;
826 LSA_Q_CREATEACCOUNT q;
827 LSA_R_CREATEACCOUNT r;
833 /* Initialise input parameters */
835 init_lsa_q_create_account(&q, dom_pol, sid, desired_access);
837 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_CREATEACCOUNT,
840 lsa_io_q_create_account,
841 lsa_io_r_create_account,
842 NT_STATUS_UNSUCCESSFUL);
844 /* Return output parameters */
848 if (NT_STATUS_IS_OK(result)) {
855 /** Open a LSA user handle
857 * @param cli Handle on an initialised SMB connection */
859 NTSTATUS rpccli_lsa_open_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
860 POLICY_HND *dom_pol, DOM_SID *sid, uint32 des_access,
861 POLICY_HND *user_pol)
863 prs_struct qbuf, rbuf;
871 /* Initialise input parameters */
873 init_lsa_q_open_account(&q, dom_pol, sid, des_access);
875 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENACCOUNT,
878 lsa_io_q_open_account,
879 lsa_io_r_open_account,
880 NT_STATUS_UNSUCCESSFUL);
882 /* Return output parameters */
886 if (NT_STATUS_IS_OK(result)) {
893 /** Enumerate user privileges
895 * @param cli Handle on an initialised SMB connection */
897 NTSTATUS rpccli_lsa_enum_privsaccount(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
898 POLICY_HND *pol, uint32 *count, LUID_ATTR **set)
900 prs_struct qbuf, rbuf;
901 LSA_Q_ENUMPRIVSACCOUNT q;
902 LSA_R_ENUMPRIVSACCOUNT r;
909 /* Initialise input parameters */
911 init_lsa_q_enum_privsaccount(&q, pol);
913 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMPRIVSACCOUNT,
916 lsa_io_q_enum_privsaccount,
917 lsa_io_r_enum_privsaccount,
918 NT_STATUS_UNSUCCESSFUL);
920 /* Return output parameters */
924 if (!NT_STATUS_IS_OK(result)) {
931 if (!((*set = TALLOC_ARRAY(mem_ctx, LUID_ATTR, r.count)))) {
932 DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
933 result = NT_STATUS_UNSUCCESSFUL;
937 for (i=0; i<r.count; i++) {
938 (*set)[i].luid.low = r.set.set[i].luid.low;
939 (*set)[i].luid.high = r.set.set[i].luid.high;
940 (*set)[i].attr = r.set.set[i].attr;
949 /** Get a privilege value given its name */
951 NTSTATUS rpccli_lsa_lookup_priv_value(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
952 POLICY_HND *pol, const char *name, LUID *luid)
954 prs_struct qbuf, rbuf;
955 LSA_Q_LOOKUP_PRIV_VALUE q;
956 LSA_R_LOOKUP_PRIV_VALUE r;
962 /* Marshall data and send request */
964 init_lsa_q_lookup_priv_value(&q, pol, name);
966 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPPRIVVALUE,
969 lsa_io_q_lookup_priv_value,
970 lsa_io_r_lookup_priv_value,
971 NT_STATUS_UNSUCCESSFUL);
975 if (!NT_STATUS_IS_OK(result)) {
979 /* Return output parameters */
981 (*luid).low=r.luid.low;
982 (*luid).high=r.luid.high;
989 /** Query LSA security object */
991 NTSTATUS rpccli_lsa_query_secobj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
992 POLICY_HND *pol, uint32 sec_info,
995 prs_struct qbuf, rbuf;
996 LSA_Q_QUERY_SEC_OBJ q;
997 LSA_R_QUERY_SEC_OBJ r;
1003 /* Marshall data and send request */
1005 init_q_query_sec_obj(&q, pol, sec_info);
1007 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYSECOBJ,
1010 lsa_io_q_query_sec_obj,
1011 lsa_io_r_query_sec_obj,
1012 NT_STATUS_UNSUCCESSFUL);
1016 if (!NT_STATUS_IS_OK(result)) {
1020 /* Return output parameters */
1031 /* Enumerate account rights This is similar to enum_privileges but
1032 takes a SID directly, avoiding the open_account call.
1035 NTSTATUS rpccli_lsa_enum_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1036 POLICY_HND *pol, DOM_SID *sid,
1037 uint32 *count, char ***priv_names)
1039 prs_struct qbuf, rbuf;
1040 LSA_Q_ENUM_ACCT_RIGHTS q;
1041 LSA_R_ENUM_ACCT_RIGHTS r;
1044 fstring *privileges;
1050 /* Marshall data and send request */
1051 init_q_enum_acct_rights(&q, pol, 2, sid);
1053 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMACCTRIGHTS,
1056 lsa_io_q_enum_acct_rights,
1057 lsa_io_r_enum_acct_rights,
1058 NT_STATUS_UNSUCCESSFUL);
1062 if (!NT_STATUS_IS_OK(result)) {
1072 privileges = TALLOC_ARRAY( mem_ctx, fstring, *count );
1073 names = TALLOC_ARRAY( mem_ctx, char *, *count );
1075 for ( i=0; i<*count; i++ ) {
1076 UNISTR4 *uni_string = &r.rights->strings[i];
1078 if ( !uni_string->string )
1081 rpcstr_pull( privileges[i], uni_string->string->buffer, sizeof(privileges[i]), -1, STR_TERMINATE );
1083 /* now copy to the return array */
1084 names[i] = talloc_strdup( mem_ctx, privileges[i] );
1087 *priv_names = names;
1096 /* add account rights to an account. */
1098 NTSTATUS rpccli_lsa_add_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1099 POLICY_HND *pol, DOM_SID sid,
1100 uint32 count, const char **privs_name)
1102 prs_struct qbuf, rbuf;
1103 LSA_Q_ADD_ACCT_RIGHTS q;
1104 LSA_R_ADD_ACCT_RIGHTS r;
1110 /* Marshall data and send request */
1111 init_q_add_acct_rights(&q, pol, &sid, count, privs_name);
1113 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ADDACCTRIGHTS,
1116 lsa_io_q_add_acct_rights,
1117 lsa_io_r_add_acct_rights,
1118 NT_STATUS_UNSUCCESSFUL);
1122 if (!NT_STATUS_IS_OK(result)) {
1131 /* remove account rights for an account. */
1133 NTSTATUS rpccli_lsa_remove_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1134 POLICY_HND *pol, DOM_SID sid, BOOL removeall,
1135 uint32 count, const char **privs_name)
1137 prs_struct qbuf, rbuf;
1138 LSA_Q_REMOVE_ACCT_RIGHTS q;
1139 LSA_R_REMOVE_ACCT_RIGHTS r;
1145 /* Marshall data and send request */
1146 init_q_remove_acct_rights(&q, pol, &sid, removeall?1:0, count, privs_name);
1148 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_REMOVEACCTRIGHTS,
1151 lsa_io_q_remove_acct_rights,
1152 lsa_io_r_remove_acct_rights,
1153 NT_STATUS_UNSUCCESSFUL);
1157 if (!NT_STATUS_IS_OK(result)) {
1168 /** An example of how to use the routines in this file. Fetch a DOMAIN
1169 sid. Does complete cli setup / teardown anonymously. */
1171 BOOL fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
1173 extern pstring global_myname;
1174 struct cli_state cli;
1180 if(cli_initialise(&cli) == False) {
1181 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
1185 if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
1186 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
1190 if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
1191 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
1192 machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1196 if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) {
1197 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
1202 cli.protocol = PROTOCOL_NT1;
1204 if (!cli_negprot(&cli)) {
1205 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
1206 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1210 if (cli.protocol != PROTOCOL_NT1) {
1211 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
1217 * Do an anonymous session setup.
1220 if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
1221 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
1222 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1226 if (!(cli.sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
1227 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
1232 if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
1233 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
1234 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1238 /* Fetch domain sid */
1240 if (!cli_nt_session_open(&cli, PI_LSARPC)) {
1241 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
1245 result = cli_lsa_open_policy(&cli, cli.mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
1246 if (!NT_STATUS_IS_OK(result)) {
1247 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
1248 nt_errstr(result) ));
1252 result = cli_lsa_query_info_policy(&cli, cli.mem_ctx, &lsa_pol, 5, domain, psid);
1253 if (!NT_STATUS_IS_OK(result)) {
1254 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
1255 nt_errstr(result) ));
1269 NTSTATUS rpccli_lsa_open_trusted_domain(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1270 POLICY_HND *pol, DOM_SID *dom_sid, uint32 access_mask,
1271 POLICY_HND *trustdom_pol)
1273 prs_struct qbuf, rbuf;
1274 LSA_Q_OPEN_TRUSTED_DOMAIN q;
1275 LSA_R_OPEN_TRUSTED_DOMAIN r;
1281 /* Initialise input parameters */
1283 init_lsa_q_open_trusted_domain(&q, pol, dom_sid, access_mask);
1285 /* Marshall data and send request */
1287 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOM,
1290 lsa_io_q_open_trusted_domain,
1291 lsa_io_r_open_trusted_domain,
1292 NT_STATUS_UNSUCCESSFUL);
1294 /* Return output parameters */
1298 if (NT_STATUS_IS_OK(result)) {
1299 *trustdom_pol = r.handle;
1305 NTSTATUS rpccli_lsa_query_trusted_domain_info(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1308 LSA_TRUSTED_DOMAIN_INFO **info)
1310 prs_struct qbuf, rbuf;
1311 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO q;
1312 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1313 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1318 /* Marshall data and send request */
1320 init_q_query_trusted_domain_info(&q, pol, info_class);
1322 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFO,
1325 lsa_io_q_query_trusted_domain_info,
1326 lsa_io_r_query_trusted_domain_info,
1327 NT_STATUS_UNSUCCESSFUL);
1331 if (!NT_STATUS_IS_OK(result)) {
1341 NTSTATUS rpccli_lsa_open_trusted_domain_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1342 POLICY_HND *pol, const char *name, uint32 access_mask,
1343 POLICY_HND *trustdom_pol)
1345 prs_struct qbuf, rbuf;
1346 LSA_Q_OPEN_TRUSTED_DOMAIN_BY_NAME q;
1347 LSA_R_OPEN_TRUSTED_DOMAIN_BY_NAME r;
1353 /* Initialise input parameters */
1355 init_lsa_q_open_trusted_domain_by_name(&q, pol, name, access_mask);
1357 /* Marshall data and send request */
1359 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOMBYNAME,
1362 lsa_io_q_open_trusted_domain_by_name,
1363 lsa_io_r_open_trusted_domain_by_name,
1364 NT_STATUS_UNSUCCESSFUL);
1366 /* Return output parameters */
1370 if (NT_STATUS_IS_OK(result)) {
1371 *trustdom_pol = r.handle;
1378 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_sid(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1380 uint16 info_class, DOM_SID *dom_sid,
1381 LSA_TRUSTED_DOMAIN_INFO **info)
1383 prs_struct qbuf, rbuf;
1384 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_SID q;
1385 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1386 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1391 /* Marshall data and send request */
1393 init_q_query_trusted_domain_info_by_sid(&q, pol, info_class, dom_sid);
1395 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYSID,
1398 lsa_io_q_query_trusted_domain_info_by_sid,
1399 lsa_io_r_query_trusted_domain_info,
1400 NT_STATUS_UNSUCCESSFUL);
1404 if (!NT_STATUS_IS_OK(result)) {
1415 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1417 uint16 info_class, const char *domain_name,
1418 LSA_TRUSTED_DOMAIN_INFO **info)
1420 prs_struct qbuf, rbuf;
1421 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_NAME q;
1422 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1423 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1428 /* Marshall data and send request */
1430 init_q_query_trusted_domain_info_by_name(&q, pol, info_class, domain_name);
1432 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYNAME,
1435 lsa_io_q_query_trusted_domain_info_by_name,
1436 lsa_io_r_query_trusted_domain_info,
1437 NT_STATUS_UNSUCCESSFUL);
1441 if (!NT_STATUS_IS_OK(result)) {
1452 NTSTATUS cli_lsa_query_domain_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1454 uint16 info_class, LSA_DOM_INFO_UNION **info)
1456 prs_struct qbuf, rbuf;
1457 LSA_Q_QUERY_DOM_INFO_POLICY q;
1458 LSA_R_QUERY_DOM_INFO_POLICY r;
1459 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1464 /* Marshall data and send request */
1466 init_q_query_dom_info(&q, pol, info_class);
1468 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYDOMINFOPOL,
1471 lsa_io_q_query_dom_info,
1472 lsa_io_r_query_dom_info,
1473 NT_STATUS_UNSUCCESSFUL);
1477 if (!NT_STATUS_IS_OK(result)) {