X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=source%2Flibmsrpc%2Fcac_lsarpc.c;h=5ff8f5142cc679bded81a070a53632e3ec9bb71d;hb=ba8c48244e140403b728d9a2ca297b40e8888964;hp=b53fc697c4177934cb2519e034a2c77890cd7c9b;hpb=218c924d91a09517909ab09668a3ba7a0c6cb305;p=samba.git diff --git a/source/libmsrpc/cac_lsarpc.c b/source/libmsrpc/cac_lsarpc.c index b53fc697c41..5ff8f5142cc 100644 --- a/source/libmsrpc/cac_lsarpc.c +++ b/source/libmsrpc/cac_lsarpc.c @@ -1,3 +1,4 @@ + /* * Unix SMB/CIFS implementation. * MS-RPC client library implementation (LSA pipe) @@ -5,7 +6,7 @@ * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or + * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, @@ -14,1059 +15,1241 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * along with this program; if not, see . */ #include "libmsrpc.h" #include "libsmb_internal.h" -int cac_LsaOpenPolicy(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaOpenPolicy *op) { - SMBCSRV *srv = NULL; - POLICY_HND *policy = NULL; - struct rpc_pipe_client *pipe_hnd = NULL; - - if(!hnd) - return CAC_FAILURE; - - if(!hnd->_internal.ctx) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!mem_ctx || !op) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - op->out.pol = NULL; - - srv = cac_GetServer(hnd); - if(!srv) { - hnd->status = NT_STATUS_INVALID_CONNECTION; - return CAC_FAILURE; - } - - /*see if there is already an active session on this pipe, if not then open one*/ - if(!hnd->_internal.pipes[PI_LSARPC]) { - pipe_hnd = cli_rpc_pipe_open_noauth(&(srv->cli), PI_LSARPC, &(hnd->status)); - - if(!pipe_hnd) { - hnd->status = NT_STATUS_UNSUCCESSFUL; - return CAC_FAILURE; - } - - hnd->_internal.pipes[PI_LSARPC] = True; - } - - policy = SMB_MALLOC_P(POLICY_HND); - if(!policy) { - errno = ENOMEM; - hnd->status = NT_STATUS_NO_MEMORY; - return CAC_FAILURE; - } - - /*need to make sure that our nt status is good otherwise check might fail below*/ - hnd->status = NT_STATUS_OK; - - if(hnd->_internal.srv_level >= SRV_WIN_2K) { - - /*try using open_policy2, if this fails try again in next block using open_policy, if that works then adjust hnd->_internal.srv_level*/ - - /*we shouldn't need to modify the access mask to make it work here*/ - hnd->status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, op->in.security_qos, op->in.access, policy); - - } - - if(hnd->_internal.srv_level < SRV_WIN_2K || !NT_STATUS_IS_OK(hnd->status)) { - hnd->status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, op->in.security_qos, op->in.access, policy); - - if(hnd->_internal.srv_level > SRV_WIN_NT4 && NT_STATUS_IS_OK(hnd->status)) { - /*change the server level to 1*/ - hnd->_internal.srv_level = SRV_WIN_NT4; - } - - } - - if(!NT_STATUS_IS_OK(hnd->status)) { - SAFE_FREE(policy); - return CAC_FAILURE; - } - - op->out.pol = policy; - - return CAC_SUCCESS; +int cac_LsaOpenPolicy( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaOpenPolicy *op ) +{ + SMBCSRV *srv = NULL; + POLICY_HND *policy = NULL; + struct rpc_pipe_client *pipe_hnd = NULL; + + if ( !hnd ) + return CAC_FAILURE; + + if ( !hnd->_internal.ctx ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !mem_ctx || !op ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + op->out.pol = NULL; + + srv = cac_GetServer( hnd ); + if ( !srv ) { + hnd->status = NT_STATUS_INVALID_CONNECTION; + return CAC_FAILURE; + } + + /*see if there is already an active session on this pipe, if not then open one */ + if ( !hnd->_internal.pipes[PI_LSARPC] ) { + pipe_hnd = + cli_rpc_pipe_open_noauth( srv->cli, PI_LSARPC, + &hnd->status ); + + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_UNSUCCESSFUL; + return CAC_FAILURE; + } + + hnd->_internal.pipes[PI_LSARPC] = True; + } + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + policy = TALLOC_P( mem_ctx, POLICY_HND ); + if ( !policy ) { + errno = ENOMEM; + hnd->status = NT_STATUS_NO_MEMORY; + return CAC_FAILURE; + } + + /*need to make sure that our nt status is good otherwise check might fail below */ + hnd->status = NT_STATUS_OK; + + if ( hnd->_internal.srv_level >= SRV_WIN_2K ) { + + /*try using open_policy2, if this fails try again in next block using open_policy, if that works then adjust hnd->_internal.srv_level */ + + /*we shouldn't need to modify the access mask to make it work here */ + hnd->status = + rpccli_lsa_open_policy2( pipe_hnd, mem_ctx, + op->in.security_qos, + op->in.access, policy ); + + } + + if ( hnd->_internal.srv_level < SRV_WIN_2K + || !NT_STATUS_IS_OK( hnd->status ) ) { + hnd->status = + rpccli_lsa_open_policy( pipe_hnd, mem_ctx, + op->in.security_qos, + op->in.access, policy ); + + if ( hnd->_internal.srv_level > SRV_WIN_NT4 + && NT_STATUS_IS_OK( hnd->status ) ) { + /*change the server level to 1 */ + hnd->_internal.srv_level = SRV_WIN_NT4; + } + + } + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } + + op->out.pol = policy; + + return CAC_SUCCESS; } -int cac_LsaClosePolicy(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, POLICY_HND *pol) { +int cac_LsaClosePolicy( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + POLICY_HND * pol ) +{ - struct rpc_pipe_client *pipe_hnd = NULL; + struct rpc_pipe_client *pipe_hnd = NULL; - if(!hnd) - return CAC_FAILURE; - - if(!pol) - return CAC_SUCCESS; /*if the policy handle doesnt exist then it's already closed*/ + if ( !hnd ) + return CAC_FAILURE; - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } + if ( !pol ) + return CAC_SUCCESS; /*if the policy handle doesnt exist then it's already closed */ - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } - hnd->status = rpccli_lsa_close(pipe_hnd, mem_ctx, pol); + hnd->status = rpccli_lsa_Close( pipe_hnd, mem_ctx, pol ); - if(!NT_STATUS_IS_OK(hnd->status)) - return CAC_FAILURE; + TALLOC_FREE( pol ); - SAFE_FREE(pol); + if ( !NT_STATUS_IS_OK( hnd->status ) ) + return CAC_FAILURE; - return CAC_SUCCESS; + return CAC_SUCCESS; } -int cac_LsaGetNamesFromSids(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaGetNamesFromSids *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - - int result = -1; - - int i; - - /*buffers for outputs*/ - char **domains = NULL; - char **names = NULL; - uint32 *types = NULL; - - CacSidInfo *sids_out = NULL; - DOM_SID *unknown_out = NULL; - int num_unknown = 0; - - int num_sids; - - int found_idx; - int unknown_idx; - - if(!hnd) - return CAC_FAILURE; - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!mem_ctx || !op || !op->in.pol || !op->in.sids) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - num_sids = op->in.num_sids; - - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - - - /*now actually lookup the names*/ - hnd->status = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, op->in.pol, op->in.num_sids, - op->in.sids, &domains, &names, &types); - - if(NT_STATUS_IS_OK(hnd->status)) { - /*this is the easy part, just make the out.sids array*/ - sids_out = TALLOC_ARRAY(mem_ctx, CacSidInfo, num_sids); - if(!sids_out) { - errno = ENOMEM; - hnd->status = NT_STATUS_NO_MEMORY; - return CAC_FAILURE; - } - - for(i = 0; i < num_sids; i++) { - sids_out[i].sid = op->in.sids[i]; - sids_out[i].name = names[i]; - sids_out[i].domain = domains[i]; - } - - result = CAC_SUCCESS; - } - else if(NT_STATUS_V(hnd->status) == NT_STATUS_V(STATUS_SOME_UNMAPPED)) { - /*first find out how many couldn't be looked up*/ - - for(i = 0; i < num_sids; i++) { - if(names[i] == NULL) { - num_unknown++; - } - } - - if( num_unknown >= num_sids) { - hnd->status = NT_STATUS_UNSUCCESSFUL; - return CAC_FAILURE; - } - - sids_out = TALLOC_ARRAY(mem_ctx, CacSidInfo, (num_sids - num_unknown)); - if(!sids_out) { - errno = ENOMEM; - hnd->status = NT_STATUS_NO_MEMORY; - return CAC_FAILURE; - } - - unknown_out = TALLOC_ARRAY(mem_ctx, DOM_SID, num_unknown); - if(!unknown_out) { - errno = ENOMEM; - hnd->status = NT_STATUS_NO_MEMORY; - return CAC_FAILURE; - } - - found_idx = unknown_idx = 0; - - /*now we can actually do the real work*/ - for(i = 0; i < num_sids; i++) { - if(names[i] != NULL) { - sids_out[found_idx].sid = op->in.sids[i]; - sids_out[found_idx].name = names[i]; - sids_out[found_idx].domain = domains[i]; - - found_idx++; - } - else { /*then this one didnt work out*/ - unknown_out[unknown_idx] = op->in.sids[i]; - - unknown_idx++; - } - } - - result = CAC_PARTIAL_SUCCESS; - } - else { /*then it failed for some reason*/ - return CAC_FAILURE; - } - - op->out.num_found = num_sids - num_unknown; - op->out.sids = sids_out; - op->out.unknown = unknown_out; - - return result; - +int cac_LsaGetNamesFromSids( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaGetNamesFromSids *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; + + int result = -1; + + int i; + + /*buffers for outputs */ + char **domains = NULL; + char **names = NULL; + enum lsa_SidType *types = NULL; + + CacSidInfo *sids_out = NULL; + DOM_SID *unknown_out = NULL; + int num_unknown = 0; + + int num_sids; + + int found_idx; + int unknown_idx; + + if ( !hnd ) + return CAC_FAILURE; + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !mem_ctx || !op || !op->in.pol || !op->in.sids ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + num_sids = op->in.num_sids; + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + + + /*now actually lookup the names */ + hnd->status = + rpccli_lsa_lookup_sids( pipe_hnd, mem_ctx, op->in.pol, + op->in.num_sids, op->in.sids, + &domains, &names, &types ); + + if ( NT_STATUS_IS_OK( hnd->status ) ) { + /*this is the easy part, just make the out.sids array */ + if (num_sids) { + sids_out = TALLOC_ARRAY( mem_ctx, CacSidInfo, num_sids ); + if ( !sids_out ) { + errno = ENOMEM; + hnd->status = NT_STATUS_NO_MEMORY; + return CAC_FAILURE; + } + } else { + sids_out = NULL; + } + + for ( i = 0; i < num_sids; i++ ) { + sids_out[i].sid = op->in.sids[i]; + sids_out[i].name = names[i]; + sids_out[i].domain = domains[i]; + } + + result = CAC_SUCCESS; + } else if ( NT_STATUS_V( hnd->status ) == + NT_STATUS_V( STATUS_SOME_UNMAPPED ) ) { + /*first find out how many couldn't be looked up */ + + for ( i = 0; i < num_sids; i++ ) { + if ( names[i] == NULL ) { + num_unknown++; + } + } + + if ( num_unknown >= num_sids ) { + hnd->status = NT_STATUS_UNSUCCESSFUL; + return CAC_FAILURE; + } + + if ( num_sids - num_unknown) { + sids_out = + TALLOC_ARRAY( mem_ctx, CacSidInfo, + ( num_sids - num_unknown ) ); + if ( !sids_out ) { + errno = ENOMEM; + hnd->status = NT_STATUS_NO_MEMORY; + return CAC_FAILURE; + } + } else { + sids_out = NULL; + } + + if (num_unknown) { + unknown_out = TALLOC_ARRAY( mem_ctx, DOM_SID, num_unknown ); + if ( !unknown_out ) { + errno = ENOMEM; + hnd->status = NT_STATUS_NO_MEMORY; + return CAC_FAILURE; + } + } else { + unknown_out = NULL; + } + found_idx = unknown_idx = 0; + + /*now we can actually do the real work */ + for ( i = 0; i < num_sids; i++ ) { + if ( names[i] != NULL ) { + sids_out[found_idx].sid = op->in.sids[i]; + sids_out[found_idx].name = names[i]; + sids_out[found_idx].domain = domains[i]; + + found_idx++; + } else { /*then this one didnt work out */ + unknown_out[unknown_idx] = op->in.sids[i]; + + unknown_idx++; + } + } + + result = CAC_PARTIAL_SUCCESS; + } else { /*then it failed for some reason */ + return CAC_FAILURE; + } + + op->out.num_found = num_sids - num_unknown; + op->out.sids = sids_out; + op->out.unknown = unknown_out; + + return result; + } -int cac_LsaGetSidsFromNames(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaGetSidsFromNames *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - int result = -1; - - int i; - - /*buffers for outputs*/ - DOM_SID *sids = NULL; - uint32 *types = NULL; - - CacSidInfo *sids_out = NULL; - char **unknown_out = NULL; - int num_unknown = 0; - - int num_names; - - int found_idx = 0; - int unknown_idx = 0; - - if(!hnd) - return CAC_FAILURE; - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!mem_ctx || !op || !op->in.pol || !op->in.names) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - num_names = op->in.num_names; - - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - - /*now actually lookup the names*/ - hnd->status = rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, op->in.pol, num_names, - (const char **)op->in.names, NULL, &sids, &types); - - if(NT_STATUS_IS_OK(hnd->status)) { - /*this is the easy part, just make the out.sids array*/ - sids_out = TALLOC_ARRAY(mem_ctx, CacSidInfo, num_names); - if(!sids_out) { - errno = ENOMEM; - hnd->status = NT_STATUS_NO_MEMORY; - return CAC_FAILURE; - } - - for(i = 0; i < num_names; i++) { - sids_out[i].sid = sids[i]; - sids_out[i].name = talloc_strdup(mem_ctx, op->in.names[i]); - sids_out[i].domain = NULL; - } - - result = CAC_SUCCESS; - } - else if(NT_STATUS_V(hnd->status) == NT_STATUS_V(STATUS_SOME_UNMAPPED)) { - /*first find out how many couldn't be looked up*/ - - for(i = 0; i < num_names; i++) { - if(types[i] == SID_NAME_UNKNOWN) { - num_unknown++; - } - } - - if( num_unknown >= num_names) { - hnd->status = NT_STATUS_UNSUCCESSFUL; - return CAC_FAILURE; - } - - sids_out = TALLOC_ARRAY(mem_ctx, CacSidInfo, (num_names - num_unknown)); - if(!sids_out) { - errno = ENOMEM; - hnd->status = NT_STATUS_NO_MEMORY; - return CAC_FAILURE; - } - - unknown_out = TALLOC_ARRAY(mem_ctx, char *, num_unknown); - if(!unknown_out) { - errno = ENOMEM; - hnd->status = NT_STATUS_NO_MEMORY; - return CAC_FAILURE; - } - - unknown_idx = found_idx = 0; - - /*now we can actually do the real work*/ - for(i = 0; i < num_names; i++) { - if(types[i] != SID_NAME_UNKNOWN) { - sids_out[found_idx].sid = sids[i]; - sids_out[found_idx].name = talloc_strdup(mem_ctx, op->in.names[i]); - sids_out[found_idx].domain = NULL; - - found_idx++; - } - else { /*then this one didnt work out*/ - unknown_out[unknown_idx] = talloc_strdup(mem_ctx, op->in.names[i]); - - unknown_idx++; - } - } - - result = CAC_PARTIAL_SUCCESS; - } - else { /*then it failed for some reason*/ - return CAC_FAILURE; - } - - op->out.num_found = num_names - num_unknown; - op->out.sids = sids_out; - op->out.unknown = unknown_out; - - return result; - +int cac_LsaGetSidsFromNames( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaGetSidsFromNames *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; + int result = -1; + + int i; + + /*buffers for outputs */ + DOM_SID *sids = NULL; + enum lsa_SidType *types = NULL; + + CacSidInfo *sids_out = NULL; + char **unknown_out = NULL; + int num_unknown = 0; + + int num_names; + + int found_idx = 0; + int unknown_idx = 0; + + if ( !hnd ) + return CAC_FAILURE; + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !mem_ctx || !op || !op->in.pol || !op->in.names ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + num_names = op->in.num_names; + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + + /*now actually lookup the names */ + hnd->status = + rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, op->in.pol, + num_names, + ( const char ** ) op->in.names, NULL, + 1, &sids, &types ); + + if ( NT_STATUS_IS_OK( hnd->status ) ) { + /*this is the easy part, just make the out.sids array */ + if (num_names) { + sids_out = TALLOC_ARRAY( mem_ctx, CacSidInfo, num_names ); + if ( !sids_out ) { + errno = ENOMEM; + hnd->status = NT_STATUS_NO_MEMORY; + return CAC_FAILURE; + } + } else { + sids_out = NULL; + } + + for ( i = 0; i < num_names; i++ ) { + sids_out[i].sid = sids[i]; + sids_out[i].name = + talloc_strdup( mem_ctx, op->in.names[i] ); + sids_out[i].domain = NULL; + } + + result = CAC_SUCCESS; + } else if ( NT_STATUS_V( hnd->status ) == + NT_STATUS_V( STATUS_SOME_UNMAPPED ) ) { + /*first find out how many couldn't be looked up */ + + for ( i = 0; i < num_names; i++ ) { + if ( types[i] == SID_NAME_UNKNOWN ) { + num_unknown++; + } + } + + if ( num_unknown >= num_names ) { + hnd->status = NT_STATUS_UNSUCCESSFUL; + return CAC_FAILURE; + } + + if (num_names - num_unknown) { + sids_out = + TALLOC_ARRAY( mem_ctx, CacSidInfo, + ( num_names - num_unknown ) ); + if ( !sids_out ) { + errno = ENOMEM; + hnd->status = NT_STATUS_NO_MEMORY; + return CAC_FAILURE; + } + } else { + sids_out = NULL; + } + + if (num_unknown) { + unknown_out = TALLOC_ARRAY( mem_ctx, char *, num_unknown ); + if ( !unknown_out ) { + errno = ENOMEM; + hnd->status = NT_STATUS_NO_MEMORY; + return CAC_FAILURE; + } + } else { + unknown_out = NULL; + } + + unknown_idx = found_idx = 0; + + /*now we can actually do the real work */ + for ( i = 0; i < num_names; i++ ) { + if ( types[i] != SID_NAME_UNKNOWN ) { + sids_out[found_idx].sid = sids[i]; + sids_out[found_idx].name = + talloc_strdup( mem_ctx, + op->in.names[i] ); + sids_out[found_idx].domain = NULL; + + found_idx++; + } else { /*then this one didnt work out */ + unknown_out[unknown_idx] = + talloc_strdup( mem_ctx, + op->in.names[i] ); + + unknown_idx++; + } + } + + result = CAC_PARTIAL_SUCCESS; + } else { /*then it failed for some reason */ + return CAC_FAILURE; + } + + op->out.num_found = num_names - num_unknown; + op->out.sids = sids_out; + op->out.unknown = unknown_out; + + return result; + } -int cac_LsaFetchSid(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaFetchSid *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - int result = -1; - - if(!hnd) - return CAC_FAILURE; - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!mem_ctx || !op || !op->in.pol) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - op->out.local_sid = NULL; - op->out.domain_sid = NULL; - - if( (op->in.info_class & CAC_LOCAL_INFO) == CAC_LOCAL_INFO) { - DOM_SID *local_sid = NULL; - char *dom_name = NULL; - - hnd->status = rpccli_lsa_query_info_policy( pipe_hnd, mem_ctx, op->in.pol, CAC_LOCAL_INFO, &dom_name, &local_sid); - - if(!NT_STATUS_IS_OK(hnd->status)) { - result = CAC_FAILURE; - goto domain; - } - - op->out.local_sid = talloc(mem_ctx, CacSidInfo); - if(!op->out.local_sid) { - hnd->status = NT_STATUS_NO_MEMORY; - result = CAC_FAILURE; - goto domain; - } - - op->out.local_sid->domain = dom_name; - - sid_copy(&op->out.local_sid->sid, local_sid); - TALLOC_FREE(local_sid); - } - -domain: - - if( (op->in.info_class & CAC_DOMAIN_INFO) == CAC_DOMAIN_INFO) { - DOM_SID *domain_sid; - char *dom_name; - - hnd->status = rpccli_lsa_query_info_policy( pipe_hnd, mem_ctx, op->in.pol, CAC_DOMAIN_INFO, &dom_name, &domain_sid); - if(!NT_STATUS_IS_OK(hnd->status)) { - /*if we succeeded above, report partial success*/ - result = (result == CAC_SUCCESS) ? CAC_PARTIAL_SUCCESS : CAC_FAILURE; - goto done; - } - else if(result == CAC_FAILURE) { - /*if we failed above but succeded here then report partial success*/ - result = CAC_PARTIAL_SUCCESS; - } - - op->out.domain_sid = talloc(mem_ctx, CacSidInfo); - if(!op->out.domain_sid) { - hnd->status = NT_STATUS_NO_MEMORY; - result = CAC_FAILURE; - goto done; - } - - op->out.domain_sid->domain = dom_name; - sid_copy(&op->out.domain_sid->sid, domain_sid); - TALLOC_FREE(domain_sid); - } - -done: - return result; +int cac_LsaFetchSid( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaFetchSid *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; + int result = -1; + + if ( !hnd ) + return CAC_FAILURE; + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !mem_ctx || !op || !op->in.pol ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + op->out.local_sid = NULL; + op->out.domain_sid = NULL; + + if ( ( op->in.info_class & CAC_LOCAL_INFO ) == CAC_LOCAL_INFO ) { + DOM_SID *local_sid = NULL; + char *dom_name = NULL; + + hnd->status = + rpccli_lsa_query_info_policy( pipe_hnd, mem_ctx, + op->in.pol, + CAC_LOCAL_INFO, + &dom_name, &local_sid ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + result = CAC_FAILURE; + goto domain; + } + + op->out.local_sid = talloc( mem_ctx, CacSidInfo ); + if ( !op->out.local_sid ) { + hnd->status = NT_STATUS_NO_MEMORY; + result = CAC_FAILURE; + goto domain; + } + + op->out.local_sid->domain = dom_name; + + sid_copy( &op->out.local_sid->sid, local_sid ); + TALLOC_FREE( local_sid ); + } + + domain: + + if ( ( op->in.info_class & CAC_DOMAIN_INFO ) == CAC_DOMAIN_INFO ) { + DOM_SID *domain_sid; + char *dom_name; + + hnd->status = + rpccli_lsa_query_info_policy( pipe_hnd, mem_ctx, + op->in.pol, + CAC_DOMAIN_INFO, + &dom_name, + &domain_sid ); + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + /*if we succeeded above, report partial success */ + result = CAC_FAILURE; + goto done; + } else if ( result == CAC_FAILURE ) { + /*if we failed above but succeded here then report partial success */ + result = CAC_PARTIAL_SUCCESS; + } + + op->out.domain_sid = talloc( mem_ctx, CacSidInfo ); + if ( !op->out.domain_sid ) { + hnd->status = NT_STATUS_NO_MEMORY; + result = CAC_FAILURE; + goto done; + } + + op->out.domain_sid->domain = dom_name; + sid_copy( &op->out.domain_sid->sid, domain_sid ); + TALLOC_FREE( domain_sid ); + } + + done: + return result; } -int cac_LsaQueryInfoPolicy(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaQueryInfoPolicy *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - - char *domain_name = NULL; - char *dns_name = NULL; - char *forest_name = NULL; - struct uuid *domain_guid = NULL; - DOM_SID *domain_sid = NULL; - - if(!hnd) - return CAC_FAILURE; - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!op->in.pol) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - /*only works if info_class parm is 12*/ - hnd->status = rpccli_lsa_query_info_policy2(pipe_hnd, mem_ctx, op->in.pol, 12, - &domain_name, &dns_name, &forest_name, &domain_guid, &domain_sid); - - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } - - op->out.domain_name = domain_name; - op->out.dns_name = dns_name; - op->out.forest_name = forest_name; - op->out.domain_guid = domain_guid; - op->out.domain_sid = domain_sid; - - return CAC_SUCCESS; +int cac_LsaQueryInfoPolicy( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaQueryInfoPolicy *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; + + char *domain_name = NULL; + char *dns_name = NULL; + char *forest_name = NULL; + struct GUID *domain_guid = NULL; + DOM_SID *domain_sid = NULL; + + if ( !hnd ) + return CAC_FAILURE; + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !op || !op->in.pol ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + /*only works if info_class parm is 12 */ + hnd->status = + rpccli_lsa_query_info_policy2( pipe_hnd, mem_ctx, op->in.pol, + 12, &domain_name, &dns_name, + &forest_name, &domain_guid, + &domain_sid ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } + + op->out.domain_name = domain_name; + op->out.dns_name = dns_name; + op->out.forest_name = forest_name; + op->out.domain_guid = domain_guid; + op->out.domain_sid = domain_sid; + + return CAC_SUCCESS; } -int cac_LsaEnumSids(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaEnumSids *op) { - struct rpc_pipe_client *pipe_hnd = NULL; +int cac_LsaEnumSids( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaEnumSids *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; - uint32 num_sids; - DOM_SID *sids; + uint32 num_sids; + DOM_SID *sids; - if(!hnd) - return CAC_FAILURE; + if ( !hnd ) + return CAC_FAILURE; - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } - if(!op || !op->in.pol) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } + if ( !op || !op->in.pol ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } - hnd->status = rpccli_lsa_enum_sids(pipe_hnd, mem_ctx, op->in.pol, &(op->out.resume_idx), op->in.pref_max_sids, &num_sids, &sids); + hnd->status = + rpccli_lsa_enum_sids( pipe_hnd, mem_ctx, op->in.pol, + &( op->out.resume_idx ), + op->in.pref_max_sids, &num_sids, + &sids ); - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } - op->out.num_sids = num_sids; - op->out.sids = sids; + op->out.num_sids = num_sids; + op->out.sids = sids; - return CAC_SUCCESS; + return CAC_SUCCESS; } -int cac_LsaEnumAccountRights(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaEnumAccountRights *op) { - struct rpc_pipe_client *pipe_hnd = NULL; +int cac_LsaEnumAccountRights( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaEnumAccountRights *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; - uint32 count = 0; - char **privs = NULL; + uint32 count = 0; + char **privs = NULL; - if(!hnd) - return CAC_FAILURE; + if ( !hnd ) + return CAC_FAILURE; - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } - if(!op->in.pol) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } + if ( !op->in.pol ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } - if(!op->in.name && !op->in.sid) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } + if ( !op->in.name && !op->in.sid ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } - if(op->in.name && !op->in.sid) { - DOM_SID *user_sid = NULL; - uint32 *type; + if ( op->in.name && !op->in.sid ) { + DOM_SID *user_sid = NULL; + enum lsa_SidType *type; - /*lookup the SID*/ - hnd->status = rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, op->in.pol, 1, (const char **)&(op->in.name), NULL, &user_sid, &type); + /*lookup the SID */ + hnd->status = + rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, + op->in.pol, 1, + ( const char ** ) &( op->in. + name ), + NULL, 1, &user_sid, &type ); - if(!NT_STATUS_IS_OK(hnd->status)) - return CAC_FAILURE; + if ( !NT_STATUS_IS_OK( hnd->status ) ) + return CAC_FAILURE; - op->in.sid = user_sid; - } - - hnd->status = rpccli_lsa_enum_account_rights( pipe_hnd, mem_ctx, op->in.pol, op->in.sid, - &count, &privs); + op->in.sid = user_sid; + } - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } + hnd->status = + rpccli_lsa_enum_account_rights( pipe_hnd, mem_ctx, op->in.pol, + op->in.sid, &count, &privs ); - op->out.num_privs = count; - op->out.priv_names = privs; + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } - return CAC_SUCCESS; -} + op->out.num_privs = count; + op->out.priv_names = privs; -int cac_LsaEnumTrustedDomains(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaEnumTrustedDomains *op) { - struct rpc_pipe_client *pipe_hnd; - - uint32 num_domains; - char **domain_names; - DOM_SID *domain_sids; - - if(!hnd) - return CAC_FAILURE; - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!op->in.pol) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - hnd->status = rpccli_lsa_enum_trust_dom( pipe_hnd, mem_ctx, op->in.pol, &(op->out.resume_idx), &num_domains, &domain_names, &domain_sids); - - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } - - op->out.num_domains = num_domains; - op->out.domain_names = domain_names; - op->out.domain_sids = domain_sids; - - return CAC_SUCCESS; + return CAC_SUCCESS; } -int cac_LsaOpenTrustedDomain(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaOpenTrustedDomain *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - - POLICY_HND *dom_pol = NULL; - - if(!hnd) - return CAC_FAILURE; - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!op->in.pol || !op->in.access || !op->in.domain_sid) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - dom_pol = talloc(mem_ctx, POLICY_HND); - if(!dom_pol) { - hnd->status = NT_STATUS_NO_MEMORY; - errno = ENOMEM; - return CAC_FAILURE; - } - - hnd->status = rpccli_lsa_open_trusted_domain( pipe_hnd, mem_ctx, op->in.pol, op->in.domain_sid, op->in.access, dom_pol); - - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } - - op->out.domain_pol = dom_pol; - - return CAC_SUCCESS; +int cac_LsaEnumTrustedDomains( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaEnumTrustedDomains *op ) +{ + struct rpc_pipe_client *pipe_hnd; + + uint32 num_domains; + char **domain_names; + DOM_SID *domain_sids; + + if ( !hnd ) + return CAC_FAILURE; + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !op->in.pol ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + hnd->status = + rpccli_lsa_enum_trust_dom( pipe_hnd, mem_ctx, op->in.pol, + &( op->out.resume_idx ), + &num_domains, &domain_names, + &domain_sids ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } + + op->out.num_domains = num_domains; + op->out.domain_names = domain_names; + op->out.domain_sids = domain_sids; + + return CAC_SUCCESS; } -int cac_LsaQueryTrustedDomainInfo(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaQueryTrustedDomainInfo *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - - LSA_TRUSTED_DOMAIN_INFO *dom_info; +int cac_LsaOpenTrustedDomain( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaOpenTrustedDomain *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; - if(!hnd) - return CAC_FAILURE; + POLICY_HND *dom_pol = NULL; - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } + if ( !hnd ) + return CAC_FAILURE; - if(!op->in.pol || !op->in.info_class) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } - if(!op->in.domain_sid && !op->in.domain_name) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } + if ( !op->in.pol || !op->in.access || !op->in.domain_sid ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } - if(op->in.domain_sid) { - hnd->status = rpccli_lsa_query_trusted_domain_info_by_sid( pipe_hnd, mem_ctx, op->in.pol, op->in.info_class, op->in.domain_sid, &dom_info); - } - else if(op->in.domain_name) { - hnd->status = rpccli_lsa_query_trusted_domain_info_by_name( pipe_hnd, mem_ctx, op->in.pol, op->in.info_class, op->in.domain_name, &dom_info); - } + dom_pol = talloc( mem_ctx, POLICY_HND ); + if ( !dom_pol ) { + hnd->status = NT_STATUS_NO_MEMORY; + errno = ENOMEM; + return CAC_FAILURE; + } - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } + hnd->status = + rpccli_lsa_open_trusted_domain( pipe_hnd, mem_ctx, op->in.pol, + op->in.domain_sid, + op->in.access, dom_pol ); - op->out.info = dom_info; + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } - return CAC_SUCCESS; + op->out.domain_pol = dom_pol; + return CAC_SUCCESS; } -int cac_LsaEnumPrivileges(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaEnumPrivileges *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - - uint32 num_privs; - char **priv_names; - uint32 *high_bits; - uint32 *low_bits; - - if(!hnd) { - return CAC_FAILURE; - } - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!op || !op->in.pol) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - hnd->status = rpccli_lsa_enum_privilege(pipe_hnd, mem_ctx, op->in.pol, &(op->out.resume_idx), op->in.pref_max_privs, - &num_privs, &priv_names, &high_bits, &low_bits); - - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } - - op->out.num_privs = num_privs; - op->out.priv_names = priv_names; - op->out.high_bits = high_bits; - op->out.low_bits = low_bits; +int cac_LsaQueryTrustedDomainInfo( CacServerHandle * hnd, + TALLOC_CTX * mem_ctx, + struct LsaQueryTrustedDomainInfo *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; + + LSA_TRUSTED_DOMAIN_INFO *dom_info; + + if ( !hnd ) + return CAC_FAILURE; + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !op->in.pol || !op->in.info_class ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + if ( !op->in.domain_sid && !op->in.domain_name ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( op->in.domain_sid ) { + hnd->status = + rpccli_lsa_query_trusted_domain_info_by_sid( pipe_hnd, + mem_ctx, + op->in. + pol, + op->in. + info_class, + op->in. + domain_sid, + &dom_info ); + } else if ( op->in.domain_name ) { + hnd->status = + rpccli_lsa_query_trusted_domain_info_by_name + ( pipe_hnd, mem_ctx, op->in.pol, op->in.info_class, + op->in.domain_name, &dom_info ); + } + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } + + op->out.info = dom_info; + + return CAC_SUCCESS; - return CAC_SUCCESS; } -int cac_LsaOpenAccount(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaOpenAccount *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - - POLICY_HND *user_pol = NULL; - - if(!hnd) { - return CAC_FAILURE; - } - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!op || !op->in.pol) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - if(!op->in.sid && !op->in.name) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - - /*look up the user's SID if we have to*/ - if(op->in.name && !op->in.sid) { - DOM_SID *user_sid = NULL; - uint32 *type; - - /*lookup the SID*/ - hnd->status = rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, op->in.pol, 1, (const char **)&(op->in.name), NULL, &user_sid, &type); - - if(!NT_STATUS_IS_OK(hnd->status)) - return CAC_FAILURE; - - op->in.sid = user_sid; - } - - user_pol = talloc(mem_ctx, POLICY_HND); - if(!user_pol) { - hnd->status = NT_STATUS_NO_MEMORY; - return CAC_FAILURE; - } - - hnd->status = rpccli_lsa_open_account(pipe_hnd, mem_ctx, op->in.pol, op->in.sid, op->in.access, user_pol); - - if(!NT_STATUS_IS_OK(hnd->status)) { - TALLOC_FREE(user_pol); - return CAC_FAILURE; - } - - op->out.user = user_pol; - - return CAC_SUCCESS; +int cac_LsaEnumPrivileges( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaEnumPrivileges *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; + + uint32 num_privs; + char **priv_names; + uint32 *high_bits; + uint32 *low_bits; + + if ( !hnd ) { + return CAC_FAILURE; + } + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !op || !op->in.pol ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + hnd->status = + rpccli_lsa_enum_privilege( pipe_hnd, mem_ctx, op->in.pol, + &( op->out.resume_idx ), + op->in.pref_max_privs, &num_privs, + &priv_names, &high_bits, + &low_bits ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } + + op->out.num_privs = num_privs; + op->out.priv_names = priv_names; + op->out.high_bits = high_bits; + op->out.low_bits = low_bits; + + return CAC_SUCCESS; } - -int cac_LsaAddPrivileges(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaAddPrivileges *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - - DOM_SID *user_sid = NULL; - uint32 *type = NULL; - - if(!hnd) { - return CAC_FAILURE; - } - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!op || !op->in.pol || !op->in.priv_names) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - if(!op->in.sid && !op->in.name) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(op->in.name && !op->in.sid) { - /*lookup the SID*/ - hnd->status = rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, op->in.pol, 1, (const char **)&(op->in.name), NULL, &user_sid, &type); - - if(!NT_STATUS_IS_OK(hnd->status)) - return CAC_FAILURE; - - op->in.sid = user_sid; - } - - hnd->status = rpccli_lsa_add_account_rights( pipe_hnd, mem_ctx, op->in.pol, *(op->in.sid), op->in.num_privs, (const char **)op->in.priv_names); - - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } - - return CAC_SUCCESS; +int cac_LsaOpenAccount( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaOpenAccount *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; + + POLICY_HND *user_pol = NULL; + + if ( !hnd ) { + return CAC_FAILURE; + } + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !op || !op->in.pol ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + if ( !op->in.sid && !op->in.name ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + /*look up the user's SID if we have to */ + if ( op->in.name && !op->in.sid ) { + DOM_SID *user_sid = NULL; + enum lsa_SidType *type; + + /*lookup the SID */ + hnd->status = + rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, + op->in.pol, 1, + ( const char ** ) &( op->in. + name ), + NULL, 1, &user_sid, &type ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) + return CAC_FAILURE; + + op->in.sid = user_sid; + } + + user_pol = talloc( mem_ctx, POLICY_HND ); + if ( !user_pol ) { + hnd->status = NT_STATUS_NO_MEMORY; + return CAC_FAILURE; + } + + hnd->status = + rpccli_lsa_open_account( pipe_hnd, mem_ctx, op->in.pol, + op->in.sid, op->in.access, + user_pol ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + TALLOC_FREE( user_pol ); + return CAC_FAILURE; + } + + op->out.user = user_pol; + + return CAC_SUCCESS; } -int cac_LsaRemovePrivileges(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaRemovePrivileges *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - - DOM_SID *user_sid = NULL; - uint32 *type = NULL; - - if(!hnd) { - return CAC_FAILURE; - } - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!op || !op->in.pol || !op->in.priv_names) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - if(!op->in.sid && !op->in.name) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(op->in.name && !op->in.sid) { - /*lookup the SID*/ - hnd->status = rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, op->in.pol, 1, (const char **)&(op->in.name), NULL, &user_sid, &type); - - if(!NT_STATUS_IS_OK(hnd->status)) - return CAC_FAILURE; - - op->in.sid = user_sid; - } - - hnd->status = rpccli_lsa_remove_account_rights( pipe_hnd, mem_ctx, op->in.pol, *(op->in.sid), False, op->in.num_privs, (const char **)op->in.priv_names); - - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } - - return CAC_SUCCESS; +int cac_LsaAddPrivileges( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaAddPrivileges *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; + + DOM_SID *user_sid = NULL; + enum lsa_SidType *type = NULL; + + if ( !hnd ) { + return CAC_FAILURE; + } + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !op || !op->in.pol || !op->in.priv_names ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + if ( !op->in.sid && !op->in.name ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( op->in.name && !op->in.sid ) { + /*lookup the SID */ + hnd->status = + rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, + op->in.pol, 1, + ( const char ** ) &( op->in. + name ), + NULL, 1, &user_sid, &type ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) + return CAC_FAILURE; + + op->in.sid = user_sid; + } + + hnd->status = + rpccli_lsa_add_account_rights( pipe_hnd, mem_ctx, op->in.pol, + *( op->in.sid ), + op->in.num_privs, + ( const char ** ) op->in. + priv_names ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } + + return CAC_SUCCESS; } -int cac_LsaClearPrivileges(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaClearPrivileges *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - - DOM_SID *user_sid = NULL; - uint32 *type = NULL; - - if(!hnd) { - return CAC_FAILURE; - } - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!op || !op->in.pol) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - if(!op->in.sid && !op->in.name) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(op->in.name && !op->in.sid) { - /*lookup the SID*/ - hnd->status = rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, op->in.pol, 1, (const char **)&(op->in.name), NULL, &user_sid, &type); - - if(!NT_STATUS_IS_OK(hnd->status)) - return CAC_FAILURE; - - op->in.sid = user_sid; - } - - hnd->status = rpccli_lsa_remove_account_rights( pipe_hnd, mem_ctx, op->in.pol, *(op->in.sid), True, 0, NULL); - - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } - - return CAC_SUCCESS; +int cac_LsaRemovePrivileges( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaRemovePrivileges *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; + + DOM_SID *user_sid = NULL; + enum lsa_SidType *type = NULL; + + if ( !hnd ) { + return CAC_FAILURE; + } + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !op || !op->in.pol || !op->in.priv_names ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + if ( !op->in.sid && !op->in.name ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( op->in.name && !op->in.sid ) { + /*lookup the SID */ + hnd->status = + rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, + op->in.pol, 1, + ( const char ** ) &( op->in. + name ), + NULL, 1, &user_sid, &type ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) + return CAC_FAILURE; + + op->in.sid = user_sid; + } + + hnd->status = + rpccli_lsa_remove_account_rights( pipe_hnd, mem_ctx, + op->in.pol, *( op->in.sid ), + False, op->in.num_privs, + ( const char ** ) op->in. + priv_names ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } + + return CAC_SUCCESS; } -int cac_LsaSetPrivileges(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaAddPrivileges *op) { - struct rpc_pipe_client *pipe_hnd = NULL; - - DOM_SID *user_sid = NULL; - uint32 *type = NULL; - - if(!hnd) { - return CAC_FAILURE; - } - - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } - - if(!op || !op->in.pol || !op->in.priv_names) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - if(!op->in.sid && !op->in.name) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } - - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - return CAC_FAILURE; - } - - if(op->in.name && !op->in.sid) { - /*lookup the SID*/ - hnd->status = rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, op->in.pol, 1, (const char **)&(op->in.name), NULL, &user_sid, &type); - - if(!NT_STATUS_IS_OK(hnd->status)) - return CAC_FAILURE; - - op->in.sid = user_sid; - } - - /*first remove all privileges*/ - hnd->status = rpccli_lsa_remove_account_rights( pipe_hnd, mem_ctx, op->in.pol, *(op->in.sid), True, 0, NULL); - - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } - - hnd->status = rpccli_lsa_add_account_rights( pipe_hnd, mem_ctx, op->in.pol, *(op->in.sid), op->in.num_privs, (const char **)op->in.priv_names); - - if(!NT_STATUS_IS_OK(hnd->status)) { - return CAC_FAILURE; - } +int cac_LsaClearPrivileges( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaClearPrivileges *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; + + DOM_SID *user_sid = NULL; + enum lsa_SidType *type = NULL; + + if ( !hnd ) { + return CAC_FAILURE; + } + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !op || !op->in.pol ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + if ( !op->in.sid && !op->in.name ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( op->in.name && !op->in.sid ) { + /*lookup the SID */ + hnd->status = + rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, + op->in.pol, 1, + ( const char ** ) &( op->in. + name ), + NULL, 1, &user_sid, &type ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) + return CAC_FAILURE; + + op->in.sid = user_sid; + } + + hnd->status = + rpccli_lsa_remove_account_rights( pipe_hnd, mem_ctx, + op->in.pol, *( op->in.sid ), + True, 0, NULL ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } + + return CAC_SUCCESS; +} - return CAC_SUCCESS; +int cac_LsaSetPrivileges( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaAddPrivileges *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; + + DOM_SID *user_sid = NULL; + enum lsa_SidType *type = NULL; + + if ( !hnd ) { + return CAC_FAILURE; + } + + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } + + if ( !op || !op->in.pol || !op->in.priv_names ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + if ( !op->in.sid && !op->in.name ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } + + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + return CAC_FAILURE; + } + + if ( op->in.name && !op->in.sid ) { + /*lookup the SID */ + hnd->status = + rpccli_lsa_lookup_names( pipe_hnd, mem_ctx, + op->in.pol, 1, + ( const char ** ) &( op->in. + name ), + NULL, 1, &user_sid, &type ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) + return CAC_FAILURE; + + op->in.sid = user_sid; + } + + /*first remove all privileges */ + hnd->status = + rpccli_lsa_remove_account_rights( pipe_hnd, mem_ctx, + op->in.pol, *( op->in.sid ), + True, 0, NULL ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } + + hnd->status = + rpccli_lsa_add_account_rights( pipe_hnd, mem_ctx, op->in.pol, + *( op->in.sid ), + op->in.num_privs, + ( const char ** ) op->in. + priv_names ); + + if ( !NT_STATUS_IS_OK( hnd->status ) ) { + return CAC_FAILURE; + } + + return CAC_SUCCESS; } -int cac_LsaGetSecurityObject(CacServerHandle *hnd, TALLOC_CTX *mem_ctx, struct LsaGetSecurityObject *op) { - struct rpc_pipe_client *pipe_hnd = NULL; +int cac_LsaGetSecurityObject( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, + struct LsaGetSecurityObject *op ) +{ + struct rpc_pipe_client *pipe_hnd = NULL; - /*this is taken from rpcclient/cmd_lsarpc.c*/ - uint16 info_level = 4; + /*this is taken from rpcclient/cmd_lsarpc.c */ + uint16 info_level = 4; - SEC_DESC_BUF *sec_out = NULL; + SEC_DESC_BUF *sec_out = NULL; - if(!hnd) { - return CAC_FAILURE; - } + if ( !hnd ) { + return CAC_FAILURE; + } - if(!hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC]) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } + if ( !hnd->_internal.ctx || !hnd->_internal.pipes[PI_LSARPC] ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } - if(!op || !op->in.pol) { - hnd->status = NT_STATUS_INVALID_PARAMETER; - return CAC_FAILURE; - } + if ( !op || !op->in.pol ) { + hnd->status = NT_STATUS_INVALID_PARAMETER; + return CAC_FAILURE; + } - pipe_hnd = cac_GetPipe(hnd, PI_LSARPC); - if(!pipe_hnd) { - hnd->status = NT_STATUS_INVALID_HANDLE; - return CAC_FAILURE; - } + pipe_hnd = cac_GetPipe( hnd, PI_LSARPC ); + if ( !pipe_hnd ) { + hnd->status = NT_STATUS_INVALID_HANDLE; + return CAC_FAILURE; + } - hnd->status = rpccli_lsa_query_secobj( pipe_hnd, mem_ctx, op->in.pol, info_level, &sec_out); + hnd->status = + rpccli_lsa_query_secobj( pipe_hnd, mem_ctx, op->in.pol, + info_level, &sec_out ); - if(!NT_STATUS_IS_OK(hnd->status)) - return CAC_FAILURE; + if ( !NT_STATUS_IS_OK( hnd->status ) ) + return CAC_FAILURE; - op->out.sec = sec_out; + op->out.sec = sec_out; - return CAC_FAILURE; + return CAC_FAILURE; }