2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Rafal Szczesniak 2002
7 Copyright (C) Jeremy Allison 2005.
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /** @defgroup lsa LSA - Local Security Architecture
35 * RPC client routines for the LSA RPC pipe. LSA means "local
36 * security authority", which is half of a password database.
39 /** Open a LSA policy handle
41 * @param cli Handle on an initialised SMB connection */
43 NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
45 BOOL sec_qos, uint32 des_access,
48 prs_struct qbuf, rbuf;
57 /* Initialise input parameters */
60 init_lsa_sec_qos(&qos, 2, 1, 0);
61 init_q_open_pol(&q, '\\', 0, des_access, &qos);
63 init_q_open_pol(&q, '\\', 0, des_access, NULL);
66 /* Marshall data and send request */
68 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY,
73 NT_STATUS_UNSUCCESSFUL );
75 /* Return output parameters */
79 if (NT_STATUS_IS_OK(result)) {
82 pol->marker = MALLOC(1);
89 /** Open a LSA policy handle
91 * @param cli Handle on an initialised SMB connection
94 NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
95 TALLOC_CTX *mem_ctx, BOOL sec_qos,
96 uint32 des_access, POLICY_HND *pol)
98 prs_struct qbuf, rbuf;
103 char *srv_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", cli->cli->desthost);
109 init_lsa_sec_qos(&qos, 2, 1, 0);
110 init_q_open_pol2(&q, srv_name_slash, 0, des_access, &qos);
112 init_q_open_pol2(&q, srv_name_slash, 0, des_access, NULL);
115 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENPOLICY2,
120 NT_STATUS_UNSUCCESSFUL );
122 /* Return output parameters */
126 if (NT_STATUS_IS_OK(result)) {
129 pol->marker = (char *)malloc(1);
136 /** Close a LSA policy handle */
138 NTSTATUS rpccli_lsa_close(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
141 prs_struct qbuf, rbuf;
149 init_lsa_q_close(&q, pol);
151 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_CLOSE,
156 NT_STATUS_UNSUCCESSFUL );
158 /* Return output parameters */
162 if (NT_STATUS_IS_OK(result)) {
164 SAFE_FREE(pol->marker);
172 /** Lookup a list of sids */
174 NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
176 POLICY_HND *pol, int num_sids,
178 char ***domains, char ***names, uint32 **types)
180 prs_struct qbuf, rbuf;
184 LSA_TRANS_NAME_ENUM t_names;
185 NTSTATUS result = NT_STATUS_OK;
191 init_q_lookup_sids(mem_ctx, &q, pol, num_sids, sids, 1);
194 ZERO_STRUCT(t_names);
199 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPSIDS,
202 lsa_io_q_lookup_sids,
203 lsa_io_r_lookup_sids,
204 NT_STATUS_UNSUCCESSFUL );
206 if (!NT_STATUS_IS_OK(r.status) &&
207 NT_STATUS_V(r.status) != NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
209 /* An actual error occured */
215 /* Return output parameters */
217 if (r.mapped_count == 0) {
218 result = NT_STATUS_NONE_MAPPED;
222 if (!((*domains) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
223 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
224 result = NT_STATUS_NO_MEMORY;
228 if (!((*names) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
229 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
230 result = NT_STATUS_NO_MEMORY;
234 if (!((*types) = TALLOC_ARRAY(mem_ctx, uint32, num_sids))) {
235 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
236 result = NT_STATUS_NO_MEMORY;
240 for (i = 0; i < num_sids; i++) {
241 fstring name, dom_name;
242 uint32 dom_idx = t_names.name[i].domain_idx;
244 /* Translate optimised name through domain index array */
246 if (dom_idx != 0xffffffff) {
248 rpcstr_pull_unistr2_fstring(
249 dom_name, &ref.ref_dom[dom_idx].uni_dom_name);
250 rpcstr_pull_unistr2_fstring(
251 name, &t_names.uni_name[i]);
253 (*names)[i] = talloc_strdup(mem_ctx, name);
254 (*domains)[i] = talloc_strdup(mem_ctx, dom_name);
255 (*types)[i] = t_names.name[i].sid_name_use;
257 if (((*names)[i] == NULL) || ((*domains)[i] == NULL)) {
258 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
259 result = NT_STATUS_UNSUCCESSFUL;
265 (*domains)[i] = NULL;
266 (*types)[i] = SID_NAME_UNKNOWN;
275 /** Lookup a list of names */
277 NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
279 POLICY_HND *pol, int num_names,
281 const char ***dom_names,
285 prs_struct qbuf, rbuf;
286 LSA_Q_LOOKUP_NAMES q;
287 LSA_R_LOOKUP_NAMES r;
298 init_q_lookup_names(mem_ctx, &q, pol, num_names, names);
300 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPNAMES,
303 lsa_io_q_lookup_names,
304 lsa_io_r_lookup_names,
305 NT_STATUS_UNSUCCESSFUL);
309 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
310 NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
312 /* An actual error occured */
317 /* Return output parameters */
319 if (r.mapped_count == 0) {
320 result = NT_STATUS_NONE_MAPPED;
324 if (!((*sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_names)))) {
325 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
326 result = NT_STATUS_NO_MEMORY;
330 if (!((*types = TALLOC_ARRAY(mem_ctx, uint32, num_names)))) {
331 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
332 result = NT_STATUS_NO_MEMORY;
336 if (dom_names != NULL) {
337 *dom_names = TALLOC_ARRAY(mem_ctx, const char *, num_names);
338 if (*dom_names == NULL) {
339 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
340 result = NT_STATUS_NO_MEMORY;
345 for (i = 0; i < num_names; i++) {
346 DOM_RID *t_rids = r.dom_rid;
347 uint32 dom_idx = t_rids[i].rid_idx;
348 uint32 dom_rid = t_rids[i].rid;
349 DOM_SID *sid = &(*sids)[i];
351 /* Translate optimised sid through domain index array */
353 if (dom_idx == 0xffffffff) {
354 /* Nothing to do, this is unknown */
356 (*types)[i] = SID_NAME_UNKNOWN;
360 sid_copy(sid, &ref.ref_dom[dom_idx].ref_dom.sid);
362 if (dom_rid != 0xffffffff) {
363 sid_append_rid(sid, dom_rid);
366 (*types)[i] = t_rids[i].type;
368 if (dom_names == NULL) {
372 (*dom_names)[i] = rpcstr_pull_unistr2_talloc(
373 *dom_names, &ref.ref_dom[dom_idx].uni_dom_name);
381 NTSTATUS rpccli_lsa_query_info_policy_new(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
382 POLICY_HND *pol, uint16 info_class,
385 prs_struct qbuf, rbuf;
393 init_q_query(&q, pol, info_class);
395 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
400 NT_STATUS_UNSUCCESSFUL);
404 if (!NT_STATUS_IS_OK(result)) {
415 NTSTATUS rpccli_lsa_query_info_policy2_new(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
416 POLICY_HND *pol, uint16 info_class,
419 prs_struct qbuf, rbuf;
427 init_q_query2(&q, pol, info_class);
429 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
432 lsa_io_q_query_info2,
433 lsa_io_r_query_info2,
434 NT_STATUS_UNSUCCESSFUL);
438 if (!NT_STATUS_IS_OK(result)) {
451 /** Query info policy
453 * @param domain_sid - returned remote server's domain sid */
455 NTSTATUS rpccli_lsa_query_info_policy(struct rpc_pipe_client *cli,
457 POLICY_HND *pol, uint16 info_class,
458 char **domain_name, DOM_SID **domain_sid)
460 prs_struct qbuf, rbuf;
468 init_q_query(&q, pol, info_class);
470 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_QUERYINFOPOLICY,
475 NT_STATUS_UNSUCCESSFUL);
479 if (!NT_STATUS_IS_OK(result)) {
483 /* Return output parameters */
485 switch (info_class) {
488 if (domain_name && (r.ctr.info.id3.buffer_dom_name != 0)) {
489 *domain_name = unistr2_tdup(mem_ctx,
493 return NT_STATUS_NO_MEMORY;
497 if (domain_sid && (r.ctr.info.id3.buffer_dom_sid != 0)) {
498 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
500 return NT_STATUS_NO_MEMORY;
502 sid_copy(*domain_sid, &r.ctr.info.id3.dom_sid.sid);
509 if (domain_name && (r.ctr.info.id5.buffer_dom_name != 0)) {
510 *domain_name = unistr2_tdup(mem_ctx,
514 return NT_STATUS_NO_MEMORY;
518 if (domain_sid && (r.ctr.info.id5.buffer_dom_sid != 0)) {
519 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
521 return NT_STATUS_NO_MEMORY;
523 sid_copy(*domain_sid, &r.ctr.info.id5.dom_sid.sid);
528 DEBUG(3, ("unknown info class %d\n", info_class));
537 /** Query info policy2
539 * @param domain_name - returned remote server's domain name
540 * @param dns_name - returned remote server's dns domain name
541 * @param forest_name - returned remote server's forest name
542 * @param domain_guid - returned remote server's domain guid
543 * @param domain_sid - returned remote server's domain sid */
545 NTSTATUS rpccli_lsa_query_info_policy2(struct rpc_pipe_client *cli,
547 POLICY_HND *pol, uint16 info_class,
548 char **domain_name, char **dns_name,
550 struct uuid **domain_guid,
551 DOM_SID **domain_sid)
553 prs_struct qbuf, rbuf;
556 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
558 if (info_class != 12)
564 init_q_query2(&q, pol, info_class);
566 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYINFO2,
569 lsa_io_q_query_info2,
570 lsa_io_r_query_info2,
571 NT_STATUS_UNSUCCESSFUL);
575 if (!NT_STATUS_IS_OK(result)) {
579 /* Return output parameters */
581 ZERO_STRUCTP(domain_guid);
583 if (domain_name && r.ctr.info.id12.hdr_nb_dom_name.buffer) {
584 *domain_name = unistr2_tdup(mem_ctx,
588 return NT_STATUS_NO_MEMORY;
591 if (dns_name && r.ctr.info.id12.hdr_dns_dom_name.buffer) {
592 *dns_name = unistr2_tdup(mem_ctx,
596 return NT_STATUS_NO_MEMORY;
599 if (forest_name && r.ctr.info.id12.hdr_forest_name.buffer) {
600 *forest_name = unistr2_tdup(mem_ctx,
604 return NT_STATUS_NO_MEMORY;
609 *domain_guid = TALLOC_P(mem_ctx, struct uuid);
611 return NT_STATUS_NO_MEMORY;
614 &r.ctr.info.id12.dom_guid,
615 sizeof(struct uuid));
618 if (domain_sid && r.ctr.info.id12.ptr_dom_sid != 0) {
619 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
621 return NT_STATUS_NO_MEMORY;
623 sid_copy(*domain_sid,
624 &r.ctr.info.id12.dom_sid.sid);
632 NTSTATUS rpccli_lsa_set_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
633 POLICY_HND *pol, uint16 info_class,
636 prs_struct qbuf, rbuf;
644 init_q_set(&q, pol, info_class, ctr);
646 CLI_DO_RPC(cli, mem_ctx, PI_LSARPC, LSA_SETINFOPOLICY,
651 NT_STATUS_UNSUCCESSFUL);
655 if (!NT_STATUS_IS_OK(result)) {
659 /* Return output parameters */
668 * Enumerate list of trusted domains
670 * @param cli client state (cli_state) structure of the connection
671 * @param mem_ctx memory context
672 * @param pol opened lsa policy handle
673 * @param enum_ctx enumeration context ie. index of first returned domain entry
674 * @param pref_num_domains preferred max number of entries returned in one response
675 * @param num_domains total number of trusted domains returned by response
676 * @param domain_names returned trusted domain names
677 * @param domain_sids returned trusted domain sids
679 * @return nt status code of response
682 NTSTATUS rpccli_lsa_enum_trust_dom(struct rpc_pipe_client *cli,
684 POLICY_HND *pol, uint32 *enum_ctx,
686 char ***domain_names, DOM_SID **domain_sids)
688 prs_struct qbuf, rbuf;
689 LSA_Q_ENUM_TRUST_DOM in;
690 LSA_R_ENUM_TRUST_DOM out;
697 /* 64k is enough for about 2000 trusted domains */
699 init_q_enum_trust_dom(&in, pol, *enum_ctx, 0x10000);
701 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMTRUSTDOM,
704 lsa_io_q_enum_trust_dom,
705 lsa_io_r_enum_trust_dom,
706 NT_STATUS_UNSUCCESSFUL );
709 /* check for an actual error */
711 if ( !NT_STATUS_IS_OK(out.status)
712 && !NT_STATUS_EQUAL(out.status, NT_STATUS_NO_MORE_ENTRIES)
713 && !NT_STATUS_EQUAL(out.status, STATUS_MORE_ENTRIES) )
718 /* Return output parameters */
720 *num_domains = out.count;
721 *enum_ctx = out.enum_context;
725 /* Allocate memory for trusted domain names and sids */
727 if ( !(*domain_names = TALLOC_ARRAY(mem_ctx, char *, out.count)) ) {
728 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
729 return NT_STATUS_NO_MEMORY;
732 if ( !(*domain_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, out.count)) ) {
733 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
734 return NT_STATUS_NO_MEMORY;
737 /* Copy across names and sids */
739 for (i = 0; i < out.count; i++) {
741 rpcstr_pull( tmp, out.domlist->domains[i].name.string->buffer,
742 sizeof(tmp), out.domlist->domains[i].name.length, 0);
743 (*domain_names)[i] = talloc_strdup(mem_ctx, tmp);
745 sid_copy(&(*domain_sids)[i], &out.domlist->domains[i].sid->sid );
752 /** Enumerate privileges*/
754 NTSTATUS rpccli_lsa_enum_privilege(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
755 POLICY_HND *pol, uint32 *enum_context, uint32 pref_max_length,
756 uint32 *count, char ***privs_name, uint32 **privs_high, uint32 **privs_low)
758 prs_struct qbuf, rbuf;
767 init_q_enum_privs(&q, pol, *enum_context, pref_max_length);
769 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_PRIVS,
774 NT_STATUS_UNSUCCESSFUL);
778 if (!NT_STATUS_IS_OK(result)) {
782 /* Return output parameters */
784 *enum_context = r.enum_context;
787 if (!((*privs_name = TALLOC_ARRAY(mem_ctx, char *, r.count)))) {
788 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
789 result = NT_STATUS_UNSUCCESSFUL;
793 if (!((*privs_high = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
794 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
795 result = NT_STATUS_UNSUCCESSFUL;
799 if (!((*privs_low = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
800 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
801 result = NT_STATUS_UNSUCCESSFUL;
805 for (i = 0; i < r.count; i++) {
808 rpcstr_pull_unistr2_fstring( name, &r.privs[i].name);
810 (*privs_name)[i] = talloc_strdup(mem_ctx, name);
812 (*privs_high)[i] = r.privs[i].luid_high;
813 (*privs_low)[i] = r.privs[i].luid_low;
821 /** Get privilege name */
823 NTSTATUS rpccli_lsa_get_dispname(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
824 POLICY_HND *pol, const char *name,
825 uint16 lang_id, uint16 lang_id_sys,
826 fstring description, uint16 *lang_id_desc)
828 prs_struct qbuf, rbuf;
829 LSA_Q_PRIV_GET_DISPNAME q;
830 LSA_R_PRIV_GET_DISPNAME r;
836 init_lsa_priv_get_dispname(&q, pol, name, lang_id, lang_id_sys);
838 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_PRIV_GET_DISPNAME,
841 lsa_io_q_priv_get_dispname,
842 lsa_io_r_priv_get_dispname,
843 NT_STATUS_UNSUCCESSFUL);
847 if (!NT_STATUS_IS_OK(result)) {
851 /* Return output parameters */
853 rpcstr_pull_unistr2_fstring(description , &r.desc);
854 *lang_id_desc = r.lang_id;
861 /** Enumerate list of SIDs */
863 NTSTATUS rpccli_lsa_enum_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
864 POLICY_HND *pol, uint32 *enum_ctx, uint32 pref_max_length,
865 uint32 *num_sids, DOM_SID **sids)
867 prs_struct qbuf, rbuf;
868 LSA_Q_ENUM_ACCOUNTS q;
869 LSA_R_ENUM_ACCOUNTS r;
876 init_lsa_q_enum_accounts(&q, pol, *enum_ctx, pref_max_length);
878 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUM_ACCOUNTS,
881 lsa_io_q_enum_accounts,
882 lsa_io_r_enum_accounts,
883 NT_STATUS_UNSUCCESSFUL);
887 if (!NT_STATUS_IS_OK(result)) {
891 if (r.sids.num_entries==0)
894 /* Return output parameters */
896 *sids = TALLOC_ARRAY(mem_ctx, DOM_SID, r.sids.num_entries);
898 DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
899 result = NT_STATUS_UNSUCCESSFUL;
903 /* Copy across names and sids */
905 for (i = 0; i < r.sids.num_entries; i++) {
906 sid_copy(&(*sids)[i], &r.sids.sid[i].sid);
909 *num_sids= r.sids.num_entries;
910 *enum_ctx = r.enum_context;
917 /** Create a LSA user handle
919 * @param cli Handle on an initialised SMB connection
921 * FIXME: The code is actually identical to open account
922 * TODO: Check and code what the function should exactly do
926 NTSTATUS rpccli_lsa_create_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
927 POLICY_HND *dom_pol, DOM_SID *sid, uint32 desired_access,
928 POLICY_HND *user_pol)
930 prs_struct qbuf, rbuf;
931 LSA_Q_CREATEACCOUNT q;
932 LSA_R_CREATEACCOUNT r;
938 /* Initialise input parameters */
940 init_lsa_q_create_account(&q, dom_pol, sid, desired_access);
942 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_CREATEACCOUNT,
945 lsa_io_q_create_account,
946 lsa_io_r_create_account,
947 NT_STATUS_UNSUCCESSFUL);
949 /* Return output parameters */
953 if (NT_STATUS_IS_OK(result)) {
960 /** Open a LSA user handle
962 * @param cli Handle on an initialised SMB connection */
964 NTSTATUS rpccli_lsa_open_account(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
965 POLICY_HND *dom_pol, DOM_SID *sid, uint32 des_access,
966 POLICY_HND *user_pol)
968 prs_struct qbuf, rbuf;
976 /* Initialise input parameters */
978 init_lsa_q_open_account(&q, dom_pol, sid, des_access);
980 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENACCOUNT,
983 lsa_io_q_open_account,
984 lsa_io_r_open_account,
985 NT_STATUS_UNSUCCESSFUL);
987 /* Return output parameters */
991 if (NT_STATUS_IS_OK(result)) {
998 /** Enumerate user privileges
1000 * @param cli Handle on an initialised SMB connection */
1002 NTSTATUS rpccli_lsa_enum_privsaccount(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1003 POLICY_HND *pol, uint32 *count, LUID_ATTR **set)
1005 prs_struct qbuf, rbuf;
1006 LSA_Q_ENUMPRIVSACCOUNT q;
1007 LSA_R_ENUMPRIVSACCOUNT r;
1014 /* Initialise input parameters */
1016 init_lsa_q_enum_privsaccount(&q, pol);
1018 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMPRIVSACCOUNT,
1021 lsa_io_q_enum_privsaccount,
1022 lsa_io_r_enum_privsaccount,
1023 NT_STATUS_UNSUCCESSFUL);
1025 /* Return output parameters */
1029 if (!NT_STATUS_IS_OK(result)) {
1036 if (!((*set = TALLOC_ARRAY(mem_ctx, LUID_ATTR, r.count)))) {
1037 DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
1038 result = NT_STATUS_UNSUCCESSFUL;
1042 for (i=0; i<r.count; i++) {
1043 (*set)[i].luid.low = r.set.set[i].luid.low;
1044 (*set)[i].luid.high = r.set.set[i].luid.high;
1045 (*set)[i].attr = r.set.set[i].attr;
1054 /** Get a privilege value given its name */
1056 NTSTATUS rpccli_lsa_lookup_priv_value(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1057 POLICY_HND *pol, const char *name, LUID *luid)
1059 prs_struct qbuf, rbuf;
1060 LSA_Q_LOOKUP_PRIV_VALUE q;
1061 LSA_R_LOOKUP_PRIV_VALUE r;
1067 /* Marshall data and send request */
1069 init_lsa_q_lookup_priv_value(&q, pol, name);
1071 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_LOOKUPPRIVVALUE,
1074 lsa_io_q_lookup_priv_value,
1075 lsa_io_r_lookup_priv_value,
1076 NT_STATUS_UNSUCCESSFUL);
1080 if (!NT_STATUS_IS_OK(result)) {
1084 /* Return output parameters */
1086 (*luid).low=r.luid.low;
1087 (*luid).high=r.luid.high;
1094 /** Query LSA security object */
1096 NTSTATUS rpccli_lsa_query_secobj(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1097 POLICY_HND *pol, uint32 sec_info,
1098 SEC_DESC_BUF **psdb)
1100 prs_struct qbuf, rbuf;
1101 LSA_Q_QUERY_SEC_OBJ q;
1102 LSA_R_QUERY_SEC_OBJ r;
1108 /* Marshall data and send request */
1110 init_q_query_sec_obj(&q, pol, sec_info);
1112 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYSECOBJ,
1115 lsa_io_q_query_sec_obj,
1116 lsa_io_r_query_sec_obj,
1117 NT_STATUS_UNSUCCESSFUL);
1121 if (!NT_STATUS_IS_OK(result)) {
1125 /* Return output parameters */
1136 /* Enumerate account rights This is similar to enum_privileges but
1137 takes a SID directly, avoiding the open_account call.
1140 NTSTATUS rpccli_lsa_enum_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1141 POLICY_HND *pol, DOM_SID *sid,
1142 uint32 *count, char ***priv_names)
1144 prs_struct qbuf, rbuf;
1145 LSA_Q_ENUM_ACCT_RIGHTS q;
1146 LSA_R_ENUM_ACCT_RIGHTS r;
1149 fstring *privileges;
1155 /* Marshall data and send request */
1156 init_q_enum_acct_rights(&q, pol, 2, sid);
1158 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ENUMACCTRIGHTS,
1161 lsa_io_q_enum_acct_rights,
1162 lsa_io_r_enum_acct_rights,
1163 NT_STATUS_UNSUCCESSFUL);
1167 if (!NT_STATUS_IS_OK(result)) {
1177 privileges = TALLOC_ARRAY( mem_ctx, fstring, *count );
1178 names = TALLOC_ARRAY( mem_ctx, char *, *count );
1180 for ( i=0; i<*count; i++ ) {
1181 UNISTR4 *uni_string = &r.rights->strings[i];
1183 if ( !uni_string->string )
1186 rpcstr_pull( privileges[i], uni_string->string->buffer, sizeof(privileges[i]), -1, STR_TERMINATE );
1188 /* now copy to the return array */
1189 names[i] = talloc_strdup( mem_ctx, privileges[i] );
1192 *priv_names = names;
1201 /* add account rights to an account. */
1203 NTSTATUS rpccli_lsa_add_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1204 POLICY_HND *pol, DOM_SID sid,
1205 uint32 count, const char **privs_name)
1207 prs_struct qbuf, rbuf;
1208 LSA_Q_ADD_ACCT_RIGHTS q;
1209 LSA_R_ADD_ACCT_RIGHTS r;
1215 /* Marshall data and send request */
1216 init_q_add_acct_rights(&q, pol, &sid, count, privs_name);
1218 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_ADDACCTRIGHTS,
1221 lsa_io_q_add_acct_rights,
1222 lsa_io_r_add_acct_rights,
1223 NT_STATUS_UNSUCCESSFUL);
1227 if (!NT_STATUS_IS_OK(result)) {
1236 /* remove account rights for an account. */
1238 NTSTATUS rpccli_lsa_remove_account_rights(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1239 POLICY_HND *pol, DOM_SID sid, BOOL removeall,
1240 uint32 count, const char **privs_name)
1242 prs_struct qbuf, rbuf;
1243 LSA_Q_REMOVE_ACCT_RIGHTS q;
1244 LSA_R_REMOVE_ACCT_RIGHTS r;
1250 /* Marshall data and send request */
1251 init_q_remove_acct_rights(&q, pol, &sid, removeall?1:0, count, privs_name);
1253 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_REMOVEACCTRIGHTS,
1256 lsa_io_q_remove_acct_rights,
1257 lsa_io_r_remove_acct_rights,
1258 NT_STATUS_UNSUCCESSFUL);
1262 if (!NT_STATUS_IS_OK(result)) {
1273 /** An example of how to use the routines in this file. Fetch a DOMAIN
1274 sid. Does complete cli setup / teardown anonymously. */
1276 BOOL fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
1278 extern pstring global_myname;
1279 struct cli_state cli;
1285 if(cli_initialise(&cli) == False) {
1286 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
1290 if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
1291 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
1295 if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
1296 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
1297 machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1301 if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) {
1302 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
1307 cli.protocol = PROTOCOL_NT1;
1309 if (!cli_negprot(&cli)) {
1310 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
1311 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1315 if (cli.protocol != PROTOCOL_NT1) {
1316 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
1322 * Do an anonymous session setup.
1325 if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
1326 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
1327 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1331 if (!(cli.sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
1332 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
1337 if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
1338 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
1339 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1343 /* Fetch domain sid */
1345 if (!cli_nt_session_open(&cli, PI_LSARPC)) {
1346 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
1350 result = cli_lsa_open_policy(&cli, cli.mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
1351 if (!NT_STATUS_IS_OK(result)) {
1352 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
1353 nt_errstr(result) ));
1357 result = cli_lsa_query_info_policy(&cli, cli.mem_ctx, &lsa_pol, 5, domain, psid);
1358 if (!NT_STATUS_IS_OK(result)) {
1359 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
1360 nt_errstr(result) ));
1374 NTSTATUS rpccli_lsa_open_trusted_domain(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1375 POLICY_HND *pol, DOM_SID *dom_sid, uint32 access_mask,
1376 POLICY_HND *trustdom_pol)
1378 prs_struct qbuf, rbuf;
1379 LSA_Q_OPEN_TRUSTED_DOMAIN q;
1380 LSA_R_OPEN_TRUSTED_DOMAIN r;
1386 /* Initialise input parameters */
1388 init_lsa_q_open_trusted_domain(&q, pol, dom_sid, access_mask);
1390 /* Marshall data and send request */
1392 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOM,
1395 lsa_io_q_open_trusted_domain,
1396 lsa_io_r_open_trusted_domain,
1397 NT_STATUS_UNSUCCESSFUL);
1399 /* Return output parameters */
1403 if (NT_STATUS_IS_OK(result)) {
1404 *trustdom_pol = r.handle;
1410 NTSTATUS rpccli_lsa_query_trusted_domain_info(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1413 LSA_TRUSTED_DOMAIN_INFO **info)
1415 prs_struct qbuf, rbuf;
1416 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO q;
1417 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1418 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1423 /* Marshall data and send request */
1425 init_q_query_trusted_domain_info(&q, pol, info_class);
1427 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFO,
1430 lsa_io_q_query_trusted_domain_info,
1431 lsa_io_r_query_trusted_domain_info,
1432 NT_STATUS_UNSUCCESSFUL);
1436 if (!NT_STATUS_IS_OK(result)) {
1446 NTSTATUS rpccli_lsa_open_trusted_domain_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1447 POLICY_HND *pol, const char *name, uint32 access_mask,
1448 POLICY_HND *trustdom_pol)
1450 prs_struct qbuf, rbuf;
1451 LSA_Q_OPEN_TRUSTED_DOMAIN_BY_NAME q;
1452 LSA_R_OPEN_TRUSTED_DOMAIN_BY_NAME r;
1458 /* Initialise input parameters */
1460 init_lsa_q_open_trusted_domain_by_name(&q, pol, name, access_mask);
1462 /* Marshall data and send request */
1464 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_OPENTRUSTDOMBYNAME,
1467 lsa_io_q_open_trusted_domain_by_name,
1468 lsa_io_r_open_trusted_domain_by_name,
1469 NT_STATUS_UNSUCCESSFUL);
1471 /* Return output parameters */
1475 if (NT_STATUS_IS_OK(result)) {
1476 *trustdom_pol = r.handle;
1483 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_sid(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1485 uint16 info_class, DOM_SID *dom_sid,
1486 LSA_TRUSTED_DOMAIN_INFO **info)
1488 prs_struct qbuf, rbuf;
1489 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_SID q;
1490 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1491 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1496 /* Marshall data and send request */
1498 init_q_query_trusted_domain_info_by_sid(&q, pol, info_class, dom_sid);
1500 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYSID,
1503 lsa_io_q_query_trusted_domain_info_by_sid,
1504 lsa_io_r_query_trusted_domain_info,
1505 NT_STATUS_UNSUCCESSFUL);
1509 if (!NT_STATUS_IS_OK(result)) {
1520 NTSTATUS rpccli_lsa_query_trusted_domain_info_by_name(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1522 uint16 info_class, const char *domain_name,
1523 LSA_TRUSTED_DOMAIN_INFO **info)
1525 prs_struct qbuf, rbuf;
1526 LSA_Q_QUERY_TRUSTED_DOMAIN_INFO_BY_NAME q;
1527 LSA_R_QUERY_TRUSTED_DOMAIN_INFO r;
1528 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1533 /* Marshall data and send request */
1535 init_q_query_trusted_domain_info_by_name(&q, pol, info_class, domain_name);
1537 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYTRUSTDOMINFOBYNAME,
1540 lsa_io_q_query_trusted_domain_info_by_name,
1541 lsa_io_r_query_trusted_domain_info,
1542 NT_STATUS_UNSUCCESSFUL);
1546 if (!NT_STATUS_IS_OK(result)) {
1557 NTSTATUS cli_lsa_query_domain_info_policy(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
1559 uint16 info_class, LSA_DOM_INFO_UNION **info)
1561 prs_struct qbuf, rbuf;
1562 LSA_Q_QUERY_DOM_INFO_POLICY q;
1563 LSA_R_QUERY_DOM_INFO_POLICY r;
1564 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1569 /* Marshall data and send request */
1571 init_q_query_dom_info(&q, pol, info_class);
1573 CLI_DO_RPC( cli, mem_ctx, PI_LSARPC, LSA_QUERYDOMINFOPOL,
1576 lsa_io_q_query_dom_info,
1577 lsa_io_r_query_dom_info,
1578 NT_STATUS_UNSUCCESSFUL);
1582 if (!NT_STATUS_IS_OK(result)) {