2 Unix SMB/CIFS implementation.
4 lsa calls for file sharing connections
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 when dealing with ACLs the file sharing client code needs to
24 sometimes make LSA RPC calls. This code provides an easy interface
25 for doing those calls.
29 #include "libcli/raw/libcliraw.h"
30 #include "libcli/libcli.h"
31 #include "libcli/security/security.h"
32 #include "librpc/gen_ndr/ndr_lsa.h"
33 #include "librpc/gen_ndr/ndr_lsa_c.h"
34 #include "libcli/util/clilsa.h"
35 #include "libcli/smb/smbXcli_base.h"
38 struct dcerpc_binding_handle *binding_handle;
39 struct smbcli_tree *ipc_tree;
40 struct policy_handle handle;
44 establish the lsa pipe connection
46 static NTSTATUS smblsa_connect(struct smbcli_state *cli)
48 struct smblsa_state *lsa;
49 struct dcerpc_pipe *lsa_pipe;
51 struct lsa_OpenPolicy r;
52 uint16_t system_name = '\\';
54 struct lsa_ObjectAttribute attr;
55 struct lsa_QosInfo qos;
57 if (cli->lsa != NULL) {
61 lsa = talloc(cli, struct smblsa_state);
63 return NT_STATUS_NO_MEMORY;
66 lsa->ipc_tree = smbcli_tree_init(cli->session, lsa, false);
67 if (lsa->ipc_tree == NULL) {
68 return NT_STATUS_NO_MEMORY;
72 tcon.generic.level = RAW_TCON_TCONX;
73 tcon.tconx.in.flags = TCONX_FLAG_EXTENDED_RESPONSE;
74 tcon.tconx.in.flags |= TCONX_FLAG_EXTENDED_SIGNATURES;
75 tcon.tconx.in.password = data_blob(NULL, 0);
76 tcon.tconx.in.path = "ipc$";
77 tcon.tconx.in.device = "IPC";
78 status = smb_raw_tcon(lsa->ipc_tree, lsa, &tcon);
79 if (!NT_STATUS_IS_OK(status)) {
83 lsa->ipc_tree->tid = tcon.tconx.out.tid;
85 if (tcon.tconx.out.options & SMB_EXTENDED_SIGNATURES) {
86 smb1cli_session_protect_session_key(cli->session->smbXcli);
89 lsa_pipe = dcerpc_pipe_init(lsa, cli->transport->ev);
90 if (lsa_pipe == NULL) {
92 return NT_STATUS_NO_MEMORY;
95 /* open the LSA pipe */
96 status = dcerpc_pipe_open_smb(lsa_pipe, lsa->ipc_tree, NDR_LSARPC_NAME);
97 if (!NT_STATUS_IS_OK(status)) {
102 /* bind to the LSA pipe */
103 status = dcerpc_bind_auth_none(lsa_pipe, &ndr_table_lsarpc);
104 if (!NT_STATUS_IS_OK(status)) {
108 lsa->binding_handle = lsa_pipe->binding_handle;
110 /* open a lsa policy handle */
112 qos.impersonation_level = 2;
113 qos.context_mode = 1;
114 qos.effective_only = 0;
117 attr.root_dir = NULL;
118 attr.object_name = NULL;
120 attr.sec_desc = NULL;
123 r.in.system_name = &system_name;
125 r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
126 r.out.handle = &lsa->handle;
128 status = dcerpc_lsa_OpenPolicy_r(lsa->binding_handle, lsa, &r);
129 if (!NT_STATUS_IS_OK(status)) {
134 if (!NT_STATUS_IS_OK(r.out.result)) {
146 return the set of privileges for the given sid
148 NTSTATUS smblsa_sid_privileges(struct smbcli_state *cli, struct dom_sid *sid,
150 struct lsa_RightSet *rights)
153 struct lsa_EnumAccountRights r;
155 status = smblsa_connect(cli);
156 if (!NT_STATUS_IS_OK(status)) {
160 r.in.handle = &cli->lsa->handle;
162 r.out.rights = rights;
164 status = dcerpc_lsa_EnumAccountRights_r(cli->lsa->binding_handle, mem_ctx, &r);
165 if (!NT_STATUS_IS_OK(status)) {
174 check if a named sid has a particular named privilege
176 NTSTATUS smblsa_sid_check_privilege(struct smbcli_state *cli,
178 const char *privilege)
180 struct lsa_RightSet rights;
182 TALLOC_CTX *mem_ctx = talloc_new(cli);
186 sid = dom_sid_parse_talloc(mem_ctx, sid_str);
188 talloc_free(mem_ctx);
189 return NT_STATUS_INVALID_SID;
192 status = smblsa_sid_privileges(cli, sid, mem_ctx, &rights);
193 if (!NT_STATUS_IS_OK(status)) {
194 talloc_free(mem_ctx);
198 for (i=0;i<rights.count;i++) {
199 if (strcmp(rights.names[i].string, privilege) == 0) {
200 talloc_free(mem_ctx);
205 talloc_free(mem_ctx);
206 return NT_STATUS_NOT_FOUND;
211 lookup a SID, returning its name
213 NTSTATUS smblsa_lookup_sid(struct smbcli_state *cli,
218 struct lsa_LookupSids r;
219 struct lsa_TransNameArray names;
220 struct lsa_SidArray sids;
221 struct lsa_RefDomainList *domains = NULL;
225 TALLOC_CTX *mem_ctx2 = talloc_new(mem_ctx);
227 status = smblsa_connect(cli);
228 if (!NT_STATUS_IS_OK(status)) {
232 sid = dom_sid_parse_talloc(mem_ctx2, sid_str);
234 return NT_STATUS_INVALID_SID;
241 sids.sids = talloc(mem_ctx2, struct lsa_SidPtr);
242 sids.sids[0].sid = sid;
244 r.in.handle = &cli->lsa->handle;
249 r.out.count = &count;
250 r.out.names = &names;
251 r.out.domains = &domains;
253 status = dcerpc_lsa_LookupSids_r(cli->lsa->binding_handle, mem_ctx2, &r);
254 if (!NT_STATUS_IS_OK(status)) {
255 talloc_free(mem_ctx2);
258 if (!NT_STATUS_IS_OK(r.out.result)) {
259 talloc_free(mem_ctx2);
262 if (names.count != 1) {
263 talloc_free(mem_ctx2);
264 return NT_STATUS_INVALID_NETWORK_RESPONSE;
266 if (domains == NULL) {
267 talloc_free(mem_ctx2);
268 return NT_STATUS_INVALID_NETWORK_RESPONSE;
270 if (domains->count != 1) {
271 talloc_free(mem_ctx2);
272 return NT_STATUS_INVALID_NETWORK_RESPONSE;
274 if (names.names[0].sid_index != UINT32_MAX &&
275 names.names[0].sid_index >= domains->count)
277 talloc_free(mem_ctx2);
278 return NT_STATUS_INVALID_NETWORK_RESPONSE;
281 (*name) = talloc_asprintf(mem_ctx, "%s\\%s",
282 domains->domains[0].name.string,
283 names.names[0].name.string);
285 talloc_free(mem_ctx2);
291 lookup a name, returning its sid
293 NTSTATUS smblsa_lookup_name(struct smbcli_state *cli,
296 const char **sid_str)
298 struct lsa_LookupNames r;
299 struct lsa_TransSidArray sids;
300 struct lsa_String names;
301 struct lsa_RefDomainList *domains = NULL;
305 TALLOC_CTX *mem_ctx2 = talloc_new(mem_ctx);
308 status = smblsa_connect(cli);
309 if (!NT_STATUS_IS_OK(status)) {
318 r.in.handle = &cli->lsa->handle;
324 r.out.count = &count;
326 r.out.domains = &domains;
328 status = dcerpc_lsa_LookupNames_r(cli->lsa->binding_handle, mem_ctx2, &r);
329 if (!NT_STATUS_IS_OK(status)) {
330 talloc_free(mem_ctx2);
333 if (!NT_STATUS_IS_OK(r.out.result)) {
334 talloc_free(mem_ctx2);
337 if (sids.count != 1) {
338 talloc_free(mem_ctx2);
339 return NT_STATUS_INVALID_NETWORK_RESPONSE;
341 if (domains->count != 1) {
342 talloc_free(mem_ctx2);
343 return NT_STATUS_INVALID_NETWORK_RESPONSE;
346 sid = domains->domains[0].sid;
347 rid = sids.sids[0].rid;
349 (*sid_str) = talloc_asprintf(mem_ctx, "%s-%u",
350 dom_sid_string(mem_ctx2, sid), rid);
352 talloc_free(mem_ctx2);
359 add a set of privileges to the given sid
361 NTSTATUS smblsa_sid_add_privileges(struct smbcli_state *cli, struct dom_sid *sid,
363 struct lsa_RightSet *rights)
366 struct lsa_AddAccountRights r;
368 status = smblsa_connect(cli);
369 if (!NT_STATUS_IS_OK(status)) {
373 r.in.handle = &cli->lsa->handle;
375 r.in.rights = rights;
377 status = dcerpc_lsa_AddAccountRights_r(cli->lsa->binding_handle, mem_ctx, &r);
378 if (!NT_STATUS_IS_OK(status)) {
386 remove a set of privileges from the given sid
388 NTSTATUS smblsa_sid_del_privileges(struct smbcli_state *cli, struct dom_sid *sid,
390 struct lsa_RightSet *rights)
393 struct lsa_RemoveAccountRights r;
395 status = smblsa_connect(cli);
396 if (!NT_STATUS_IS_OK(status)) {
400 r.in.handle = &cli->lsa->handle;
403 r.in.rights = rights;
405 status = dcerpc_lsa_RemoveAccountRights_r(cli->lsa->binding_handle, mem_ctx, &r);
406 if (!NT_STATUS_IS_OK(status)) {