2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000-2001,
5 Copyright (C) Andrew Tridgell 1992-1997,2000,
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1997,2000,
7 Copyright (C) Paul Ashton 1997,2000,
8 Copyright (C) Elrond 2000,
9 Copyright (C) Rafal Szczesniak 2002
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 /** @defgroup lsa LSA - Local Security Architecture
37 * RPC client routines for the LSA RPC pipe. LSA means "local
38 * security authority", which is half of a password database.
41 /** Open a LSA policy handle
43 * @param cli Handle on an initialised SMB connection */
45 NTSTATUS cli_lsa_open_policy(struct cli_state *cli, TALLOC_CTX *mem_ctx,
46 BOOL sec_qos, uint32 des_access, POLICY_HND *pol)
48 prs_struct qbuf, rbuf;
57 /* Initialise parse structures */
59 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
60 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
62 /* Initialise input parameters */
65 init_lsa_sec_qos(&qos, 2, 1, 0);
66 init_q_open_pol(&q, '\\', 0, des_access, &qos);
68 init_q_open_pol(&q, '\\', 0, des_access, NULL);
71 /* Marshall data and send request */
73 if (!lsa_io_q_open_pol("", &q, &qbuf, 0) ||
74 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_OPENPOLICY, &qbuf, &rbuf)) {
75 result = NT_STATUS_UNSUCCESSFUL;
79 /* Unmarshall response */
81 if (!lsa_io_r_open_pol("", &r, &rbuf, 0)) {
82 result = NT_STATUS_UNSUCCESSFUL;
86 /* Return output parameters */
88 if (NT_STATUS_IS_OK(result = r.status)) {
91 pol->marker = MALLOC(1);
102 /** Open a LSA policy handle
104 * @param cli Handle on an initialised SMB connection
107 NTSTATUS cli_lsa_open_policy2(struct cli_state *cli, TALLOC_CTX *mem_ctx,
108 BOOL sec_qos, uint32 des_access, POLICY_HND *pol)
110 prs_struct qbuf, rbuf;
119 /* Initialise parse structures */
121 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
122 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
124 /* Initialise input parameters */
127 init_lsa_sec_qos(&qos, 2, 1, 0);
128 init_q_open_pol2(&q, cli->srv_name_slash, 0, des_access,
131 init_q_open_pol2(&q, cli->srv_name_slash, 0, des_access,
135 /* Marshall data and send request */
137 if (!lsa_io_q_open_pol2("", &q, &qbuf, 0) ||
138 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_OPENPOLICY2, &qbuf, &rbuf)) {
139 result = NT_STATUS_UNSUCCESSFUL;
143 /* Unmarshall response */
145 if (!lsa_io_r_open_pol2("", &r, &rbuf, 0)) {
146 result = NT_STATUS_UNSUCCESSFUL;
150 /* Return output parameters */
152 if (NT_STATUS_IS_OK(result = r.status)) {
155 pol->marker = (char *)malloc(1);
166 /** Close a LSA policy handle */
168 NTSTATUS cli_lsa_close(struct cli_state *cli, TALLOC_CTX *mem_ctx,
171 prs_struct qbuf, rbuf;
179 /* Initialise parse structures */
181 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
182 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
184 /* Marshall data and send request */
186 init_lsa_q_close(&q, pol);
188 if (!lsa_io_q_close("", &q, &qbuf, 0) ||
189 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_CLOSE, &qbuf, &rbuf)) {
190 result = NT_STATUS_UNSUCCESSFUL;
194 /* Unmarshall response */
196 if (!lsa_io_r_close("", &r, &rbuf, 0)) {
197 result = NT_STATUS_UNSUCCESSFUL;
201 /* Return output parameters */
203 if (NT_STATUS_IS_OK(result = r.status)) {
205 SAFE_FREE(pol->marker);
217 /** Lookup a list of sids */
219 NTSTATUS cli_lsa_lookup_sids(struct cli_state *cli, TALLOC_CTX *mem_ctx,
220 POLICY_HND *pol, int num_sids, const DOM_SID *sids,
221 char ***domains, char ***names, uint32 **types)
223 prs_struct qbuf, rbuf;
227 LSA_TRANS_NAME_ENUM t_names;
234 /* Initialise parse structures */
236 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
237 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
239 /* Marshall data and send request */
241 init_q_lookup_sids(mem_ctx, &q, pol, num_sids, sids, 1);
243 if (!lsa_io_q_lookup_sids("", &q, &qbuf, 0) ||
244 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_LOOKUPSIDS, &qbuf, &rbuf)) {
245 result = NT_STATUS_UNSUCCESSFUL;
249 /* Unmarshall response */
252 ZERO_STRUCT(t_names);
257 if (!lsa_io_r_lookup_sids("", &r, &rbuf, 0)) {
258 result = NT_STATUS_UNSUCCESSFUL;
264 if (!NT_STATUS_IS_OK(result) &&
265 NT_STATUS_V(result) != NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
267 /* An actual error occured */
272 /* Return output parameters */
274 if (r.mapped_count == 0) {
275 result = NT_STATUS_NONE_MAPPED;
279 if (!((*domains) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
280 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
281 result = NT_STATUS_UNSUCCESSFUL;
285 if (!((*names) = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
286 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
287 result = NT_STATUS_UNSUCCESSFUL;
291 if (!((*types) = TALLOC_ARRAY(mem_ctx, uint32, num_sids))) {
292 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
293 result = NT_STATUS_UNSUCCESSFUL;
297 for (i = 0; i < num_sids; i++) {
298 fstring name, dom_name;
299 uint32 dom_idx = t_names.name[i].domain_idx;
301 /* Translate optimised name through domain index array */
303 if (dom_idx != 0xffffffff) {
305 rpcstr_pull_unistr2_fstring(
306 dom_name, &ref.ref_dom[dom_idx].uni_dom_name);
307 rpcstr_pull_unistr2_fstring(
308 name, &t_names.uni_name[i]);
310 (*names)[i] = talloc_strdup(mem_ctx, name);
311 (*domains)[i] = talloc_strdup(mem_ctx, dom_name);
312 (*types)[i] = t_names.name[i].sid_name_use;
314 if (((*names)[i] == NULL) || ((*domains)[i] == NULL)) {
315 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
316 result = NT_STATUS_UNSUCCESSFUL;
322 (*domains)[i] = NULL;
323 (*types)[i] = SID_NAME_UNKNOWN;
334 /** Lookup a list of names */
336 NTSTATUS cli_lsa_lookup_names(struct cli_state *cli, TALLOC_CTX *mem_ctx,
337 POLICY_HND *pol, int num_names,
338 const char **names, DOM_SID **sids,
341 prs_struct qbuf, rbuf;
342 LSA_Q_LOOKUP_NAMES q;
343 LSA_R_LOOKUP_NAMES r;
351 /* Initialise parse structures */
353 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
354 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
356 /* Marshall data and send request */
358 init_q_lookup_names(mem_ctx, &q, pol, num_names, names);
360 if (!lsa_io_q_lookup_names("", &q, &qbuf, 0) ||
361 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_LOOKUPNAMES, &qbuf, &rbuf)) {
362 result = NT_STATUS_UNSUCCESSFUL;
366 /* Unmarshall response */
371 if (!lsa_io_r_lookup_names("", &r, &rbuf, 0)) {
372 result = NT_STATUS_UNSUCCESSFUL;
378 if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
379 NT_STATUS_V(STATUS_SOME_UNMAPPED)) {
381 /* An actual error occured */
386 /* Return output parameters */
388 if (r.mapped_count == 0) {
389 result = NT_STATUS_NONE_MAPPED;
393 if (!((*sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_names)))) {
394 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
395 result = NT_STATUS_UNSUCCESSFUL;
399 if (!((*types = TALLOC_ARRAY(mem_ctx, uint32, num_names)))) {
400 DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
401 result = NT_STATUS_UNSUCCESSFUL;
405 for (i = 0; i < num_names; i++) {
406 DOM_RID2 *t_rids = r.dom_rid;
407 uint32 dom_idx = t_rids[i].rid_idx;
408 uint32 dom_rid = t_rids[i].rid;
409 DOM_SID *sid = &(*sids)[i];
411 /* Translate optimised sid through domain index array */
413 if (dom_idx != 0xffffffff) {
415 sid_copy(sid, &ref.ref_dom[dom_idx].ref_dom.sid);
417 if (dom_rid != 0xffffffff) {
418 sid_append_rid(sid, dom_rid);
421 (*types)[i] = t_rids[i].type;
424 (*types)[i] = SID_NAME_UNKNOWN;
435 /** Query info policy
437 * @param domain_sid - returned remote server's domain sid */
439 NTSTATUS cli_lsa_query_info_policy(struct cli_state *cli, TALLOC_CTX *mem_ctx,
440 POLICY_HND *pol, uint16 info_class,
441 char **domain_name, DOM_SID **domain_sid)
443 prs_struct qbuf, rbuf;
451 /* Initialise parse structures */
453 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
454 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
456 /* Marshall data and send request */
458 init_q_query(&q, pol, info_class);
460 if (!lsa_io_q_query("", &q, &qbuf, 0) ||
461 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_QUERYINFOPOLICY, &qbuf, &rbuf)) {
462 result = NT_STATUS_UNSUCCESSFUL;
466 /* Unmarshall response */
468 if (!lsa_io_r_query("", &r, &rbuf, 0)) {
469 result = NT_STATUS_UNSUCCESSFUL;
473 if (!NT_STATUS_IS_OK(result = r.status)) {
477 /* Return output parameters */
479 switch (info_class) {
482 if (domain_name && (r.dom.id3.buffer_dom_name != 0)) {
483 *domain_name = unistr2_tdup(mem_ctx,
488 if (domain_sid && (r.dom.id3.buffer_dom_sid != 0)) {
489 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
491 sid_copy(*domain_sid, &r.dom.id3.dom_sid.sid);
499 if (domain_name && (r.dom.id5.buffer_dom_name != 0)) {
500 *domain_name = unistr2_tdup(mem_ctx,
505 if (domain_sid && (r.dom.id5.buffer_dom_sid != 0)) {
506 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
508 sid_copy(*domain_sid, &r.dom.id5.dom_sid.sid);
514 DEBUG(3, ("unknown info class %d\n", info_class));
525 /** Query info policy2
527 * @param domain_name - returned remote server's domain name
528 * @param dns_name - returned remote server's dns domain name
529 * @param forest_name - returned remote server's forest name
530 * @param domain_guid - returned remote server's domain guid
531 * @param domain_sid - returned remote server's domain sid */
533 NTSTATUS cli_lsa_query_info_policy2(struct cli_state *cli, TALLOC_CTX *mem_ctx,
534 POLICY_HND *pol, uint16 info_class,
535 char **domain_name, char **dns_name,
536 char **forest_name, struct uuid **domain_guid,
537 DOM_SID **domain_sid)
539 prs_struct qbuf, rbuf;
542 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
544 if (info_class != 12)
550 /* Initialise parse structures */
552 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
553 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
555 /* Marshall data and send request */
557 init_q_query2(&q, pol, info_class);
559 if (!lsa_io_q_query_info2("", &q, &qbuf, 0) ||
560 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_QUERYINFO2, &qbuf, &rbuf)) {
561 result = NT_STATUS_UNSUCCESSFUL;
565 /* Unmarshall response */
567 if (!lsa_io_r_query_info2("", &r, &rbuf, 0)) {
568 result = NT_STATUS_UNSUCCESSFUL;
572 if (!NT_STATUS_IS_OK(result = r.status)) {
576 /* Return output parameters */
578 ZERO_STRUCTP(domain_guid);
580 if (domain_name && r.info.dns_dom_info.hdr_nb_dom_name.buffer) {
581 *domain_name = unistr2_tdup(mem_ctx,
585 if (dns_name && r.info.dns_dom_info.hdr_dns_dom_name.buffer) {
586 *dns_name = unistr2_tdup(mem_ctx,
590 if (forest_name && r.info.dns_dom_info.hdr_forest_name.buffer) {
591 *forest_name = unistr2_tdup(mem_ctx,
597 *domain_guid = TALLOC_P(mem_ctx, struct uuid);
599 &r.info.dns_dom_info.dom_guid,
600 sizeof(struct uuid));
603 if (domain_sid && r.info.dns_dom_info.ptr_dom_sid != 0) {
604 *domain_sid = TALLOC_P(mem_ctx, DOM_SID);
606 sid_copy(*domain_sid,
607 &r.info.dns_dom_info.dom_sid.sid);
619 * Enumerate list of trusted domains
621 * @param cli client state (cli_state) structure of the connection
622 * @param mem_ctx memory context
623 * @param pol opened lsa policy handle
624 * @param enum_ctx enumeration context ie. index of first returned domain entry
625 * @param pref_num_domains preferred max number of entries returned in one response
626 * @param num_domains total number of trusted domains returned by response
627 * @param domain_names returned trusted domain names
628 * @param domain_sids returned trusted domain sids
630 * @return nt status code of response
633 NTSTATUS cli_lsa_enum_trust_dom(struct cli_state *cli, TALLOC_CTX *mem_ctx,
634 POLICY_HND *pol, uint32 *enum_ctx,
636 char ***domain_names, DOM_SID **domain_sids)
638 prs_struct qbuf, rbuf;
639 LSA_Q_ENUM_TRUST_DOM q;
640 LSA_R_ENUM_TRUST_DOM r;
647 /* Initialise parse structures */
649 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
650 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
652 /* Marshall data and send request */
654 /* 64k is enough for about 2000 trusted domains */
655 init_q_enum_trust_dom(&q, pol, *enum_ctx, 0x10000);
657 if (!lsa_io_q_enum_trust_dom("", &q, &qbuf, 0) ||
658 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_ENUMTRUSTDOM, &qbuf, &rbuf)) {
659 result = NT_STATUS_UNSUCCESSFUL;
663 /* Unmarshall response */
665 if (!lsa_io_r_enum_trust_dom("", &r, &rbuf, 0)) {
666 result = NT_STATUS_UNSUCCESSFUL;
672 if (!NT_STATUS_IS_OK(result) &&
673 !NT_STATUS_EQUAL(result, NT_STATUS_NO_MORE_ENTRIES) &&
674 !NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
676 /* An actual error ocured */
681 /* Return output parameters */
685 /* Allocate memory for trusted domain names and sids */
687 *domain_names = TALLOC_ARRAY(mem_ctx, char *, r.num_domains);
689 if (!*domain_names) {
690 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
691 result = NT_STATUS_NO_MEMORY;
695 *domain_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, r.num_domains);
697 DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
698 result = NT_STATUS_NO_MEMORY;
702 /* Copy across names and sids */
704 for (i = 0; i < r.num_domains; i++) {
707 unistr2_to_ascii(tmp, &r.uni_domain_name[i],
709 (*domain_names)[i] = talloc_strdup(mem_ctx, tmp);
710 sid_copy(&(*domain_sids)[i], &r.domain_sid[i].sid);
714 *num_domains = r.num_domains;
715 *enum_ctx = r.enum_context;
725 /** Enumerate privileges*/
727 NTSTATUS cli_lsa_enum_privilege(struct cli_state *cli, TALLOC_CTX *mem_ctx,
728 POLICY_HND *pol, uint32 *enum_context, uint32 pref_max_length,
729 uint32 *count, char ***privs_name, uint32 **privs_high, uint32 **privs_low)
731 prs_struct qbuf, rbuf;
740 /* Initialise parse structures */
742 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
743 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
745 /* Marshall data and send request */
747 init_q_enum_privs(&q, pol, *enum_context, pref_max_length);
749 if (!lsa_io_q_enum_privs("", &q, &qbuf, 0) ||
750 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_ENUM_PRIVS, &qbuf, &rbuf)) {
751 result = NT_STATUS_UNSUCCESSFUL;
755 /* Unmarshall response */
757 if (!lsa_io_r_enum_privs("", &r, &rbuf, 0)) {
758 result = NT_STATUS_UNSUCCESSFUL;
762 if (!NT_STATUS_IS_OK(result = r.status)) {
766 /* Return output parameters */
768 *enum_context = r.enum_context;
771 if (!((*privs_name = TALLOC_ARRAY(mem_ctx, char *, r.count)))) {
772 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
773 result = NT_STATUS_UNSUCCESSFUL;
777 if (!((*privs_high = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
778 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
779 result = NT_STATUS_UNSUCCESSFUL;
783 if (!((*privs_low = TALLOC_ARRAY(mem_ctx, uint32, r.count)))) {
784 DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
785 result = NT_STATUS_UNSUCCESSFUL;
789 for (i = 0; i < r.count; i++) {
792 rpcstr_pull_unistr2_fstring( name, &r.privs[i].name);
794 (*privs_name)[i] = talloc_strdup(mem_ctx, name);
796 (*privs_high)[i] = r.privs[i].luid_high;
797 (*privs_low)[i] = r.privs[i].luid_low;
807 /** Get privilege name */
809 NTSTATUS cli_lsa_get_dispname(struct cli_state *cli, TALLOC_CTX *mem_ctx,
810 POLICY_HND *pol, const char *name,
811 uint16 lang_id, uint16 lang_id_sys,
812 fstring description, uint16 *lang_id_desc)
814 prs_struct qbuf, rbuf;
815 LSA_Q_PRIV_GET_DISPNAME q;
816 LSA_R_PRIV_GET_DISPNAME r;
822 /* Initialise parse structures */
824 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
825 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
827 /* Marshall data and send request */
829 init_lsa_priv_get_dispname(&q, pol, name, lang_id, lang_id_sys);
831 if (!lsa_io_q_priv_get_dispname("", &q, &qbuf, 0) ||
832 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_PRIV_GET_DISPNAME, &qbuf, &rbuf)) {
833 result = NT_STATUS_UNSUCCESSFUL;
837 /* Unmarshall response */
839 if (!lsa_io_r_priv_get_dispname("", &r, &rbuf, 0)) {
840 result = NT_STATUS_UNSUCCESSFUL;
844 if (!NT_STATUS_IS_OK(result = r.status)) {
848 /* Return output parameters */
850 rpcstr_pull_unistr2_fstring(description , &r.desc);
851 *lang_id_desc = r.lang_id;
860 /** Enumerate list of SIDs */
862 NTSTATUS cli_lsa_enum_sids(struct cli_state *cli, TALLOC_CTX *mem_ctx,
863 POLICY_HND *pol, uint32 *enum_ctx, uint32 pref_max_length,
864 uint32 *num_sids, DOM_SID **sids)
866 prs_struct qbuf, rbuf;
867 LSA_Q_ENUM_ACCOUNTS q;
868 LSA_R_ENUM_ACCOUNTS r;
875 /* Initialise parse structures */
877 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
878 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
880 /* Marshall data and send request */
882 init_lsa_q_enum_accounts(&q, pol, *enum_ctx, pref_max_length);
884 if (!lsa_io_q_enum_accounts("", &q, &qbuf, 0) ||
885 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_ENUM_ACCOUNTS, &qbuf, &rbuf)) {
886 result = NT_STATUS_UNSUCCESSFUL;
890 /* Unmarshall response */
892 if (!lsa_io_r_enum_accounts("", &r, &rbuf, 0)) {
893 result = NT_STATUS_UNSUCCESSFUL;
899 if (!NT_STATUS_IS_OK(result = r.status)) {
903 if (r.sids.num_entries==0)
906 /* Return output parameters */
908 *sids = TALLOC_ARRAY(mem_ctx, DOM_SID, r.sids.num_entries);
910 DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
911 result = NT_STATUS_UNSUCCESSFUL;
915 /* Copy across names and sids */
917 for (i = 0; i < r.sids.num_entries; i++) {
918 sid_copy(&(*sids)[i], &r.sids.sid[i].sid);
921 *num_sids= r.sids.num_entries;
922 *enum_ctx = r.enum_context;
931 /** Create a LSA user handle
933 * @param cli Handle on an initialised SMB connection
935 * FIXME: The code is actually identical to open account
936 * TODO: Check and code what the function should exactly do
940 NTSTATUS cli_lsa_create_account(struct cli_state *cli, TALLOC_CTX *mem_ctx,
941 POLICY_HND *dom_pol, DOM_SID *sid, uint32 desired_access,
942 POLICY_HND *user_pol)
944 prs_struct qbuf, rbuf;
945 LSA_Q_CREATEACCOUNT q;
946 LSA_R_CREATEACCOUNT r;
952 /* Initialise parse structures */
954 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
955 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
957 /* Initialise input parameters */
959 init_lsa_q_create_account(&q, dom_pol, sid, desired_access);
961 /* Marshall data and send request */
963 if (!lsa_io_q_create_account("", &q, &qbuf, 0) ||
964 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_CREATEACCOUNT, &qbuf, &rbuf)) {
965 result = NT_STATUS_UNSUCCESSFUL;
969 /* Unmarshall response */
971 if (!lsa_io_r_create_account("", &r, &rbuf, 0)) {
972 result = NT_STATUS_UNSUCCESSFUL;
976 /* Return output parameters */
978 if (NT_STATUS_IS_OK(result = r.status)) {
989 /** Open a LSA user handle
991 * @param cli Handle on an initialised SMB connection */
993 NTSTATUS cli_lsa_open_account(struct cli_state *cli, TALLOC_CTX *mem_ctx,
994 POLICY_HND *dom_pol, DOM_SID *sid, uint32 des_access,
995 POLICY_HND *user_pol)
997 prs_struct qbuf, rbuf;
1005 /* Initialise parse structures */
1007 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
1008 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
1010 /* Initialise input parameters */
1012 init_lsa_q_open_account(&q, dom_pol, sid, des_access);
1014 /* Marshall data and send request */
1016 if (!lsa_io_q_open_account("", &q, &qbuf, 0) ||
1017 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_OPENACCOUNT, &qbuf, &rbuf)) {
1018 result = NT_STATUS_UNSUCCESSFUL;
1022 /* Unmarshall response */
1024 if (!lsa_io_r_open_account("", &r, &rbuf, 0)) {
1025 result = NT_STATUS_UNSUCCESSFUL;
1029 /* Return output parameters */
1031 if (NT_STATUS_IS_OK(result = r.status)) {
1036 prs_mem_free(&qbuf);
1037 prs_mem_free(&rbuf);
1042 /** Enumerate user privileges
1044 * @param cli Handle on an initialised SMB connection */
1046 NTSTATUS cli_lsa_enum_privsaccount(struct cli_state *cli, TALLOC_CTX *mem_ctx,
1047 POLICY_HND *pol, uint32 *count, LUID_ATTR **set)
1049 prs_struct qbuf, rbuf;
1050 LSA_Q_ENUMPRIVSACCOUNT q;
1051 LSA_R_ENUMPRIVSACCOUNT r;
1058 /* Initialise parse structures */
1060 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
1061 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
1063 /* Initialise input parameters */
1065 init_lsa_q_enum_privsaccount(&q, pol);
1067 /* Marshall data and send request */
1069 if (!lsa_io_q_enum_privsaccount("", &q, &qbuf, 0) ||
1070 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_ENUMPRIVSACCOUNT, &qbuf, &rbuf)) {
1071 result = NT_STATUS_UNSUCCESSFUL;
1075 /* Unmarshall response */
1077 if (!lsa_io_r_enum_privsaccount("", &r, &rbuf, 0)) {
1078 result = NT_STATUS_UNSUCCESSFUL;
1082 /* Return output parameters */
1084 if (!NT_STATUS_IS_OK(result = r.status)) {
1091 if (!((*set = TALLOC_ARRAY(mem_ctx, LUID_ATTR, r.count)))) {
1092 DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
1093 result = NT_STATUS_UNSUCCESSFUL;
1097 for (i=0; i<r.count; i++) {
1098 (*set)[i].luid.low = r.set.set[i].luid.low;
1099 (*set)[i].luid.high = r.set.set[i].luid.high;
1100 (*set)[i].attr = r.set.set[i].attr;
1105 prs_mem_free(&qbuf);
1106 prs_mem_free(&rbuf);
1111 /** Get a privilege value given its name */
1113 NTSTATUS cli_lsa_lookupprivvalue(struct cli_state *cli, TALLOC_CTX *mem_ctx,
1114 POLICY_HND *pol, const char *name, LUID *luid)
1116 prs_struct qbuf, rbuf;
1117 LSA_Q_LOOKUPPRIVVALUE q;
1118 LSA_R_LOOKUPPRIVVALUE r;
1124 /* Initialise parse structures */
1126 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
1127 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
1129 /* Marshall data and send request */
1131 init_lsa_q_lookupprivvalue(&q, pol, name);
1133 if (!lsa_io_q_lookupprivvalue("", &q, &qbuf, 0) ||
1134 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_LOOKUPPRIVVALUE, &qbuf, &rbuf)) {
1135 result = NT_STATUS_UNSUCCESSFUL;
1139 /* Unmarshall response */
1141 if (!lsa_io_r_lookupprivvalue("", &r, &rbuf, 0)) {
1142 result = NT_STATUS_UNSUCCESSFUL;
1146 if (!NT_STATUS_IS_OK(result = r.status)) {
1150 /* Return output parameters */
1152 (*luid).low=r.luid.low;
1153 (*luid).high=r.luid.high;
1156 prs_mem_free(&qbuf);
1157 prs_mem_free(&rbuf);
1162 /** Query LSA security object */
1164 NTSTATUS cli_lsa_query_secobj(struct cli_state *cli, TALLOC_CTX *mem_ctx,
1165 POLICY_HND *pol, uint32 sec_info,
1166 SEC_DESC_BUF **psdb)
1168 prs_struct qbuf, rbuf;
1169 LSA_Q_QUERY_SEC_OBJ q;
1170 LSA_R_QUERY_SEC_OBJ r;
1176 /* Initialise parse structures */
1178 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
1179 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
1181 /* Marshall data and send request */
1183 init_q_query_sec_obj(&q, pol, sec_info);
1185 if (!lsa_io_q_query_sec_obj("", &q, &qbuf, 0) ||
1186 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_QUERYSECOBJ, &qbuf, &rbuf)) {
1187 result = NT_STATUS_UNSUCCESSFUL;
1191 /* Unmarshall response */
1193 if (!lsa_io_r_query_sec_obj("", &r, &rbuf, 0)) {
1194 result = NT_STATUS_UNSUCCESSFUL;
1198 if (!NT_STATUS_IS_OK(result = r.status)) {
1202 /* Return output parameters */
1208 prs_mem_free(&qbuf);
1209 prs_mem_free(&rbuf);
1215 /* Enumerate account rights This is similar to enum_privileges but
1216 takes a SID directly, avoiding the open_account call.
1219 NTSTATUS cli_lsa_enum_account_rights(struct cli_state *cli, TALLOC_CTX *mem_ctx,
1220 POLICY_HND *pol, DOM_SID *sid,
1221 uint32 *count, char ***priv_names)
1223 prs_struct qbuf, rbuf;
1224 LSA_Q_ENUM_ACCT_RIGHTS q;
1225 LSA_R_ENUM_ACCT_RIGHTS r;
1228 fstring *privileges;
1234 /* Initialise parse structures */
1236 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
1237 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
1239 /* Marshall data and send request */
1240 init_q_enum_acct_rights(&q, pol, 2, sid);
1242 if (!lsa_io_q_enum_acct_rights("", &q, &qbuf, 0) ||
1243 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_ENUMACCTRIGHTS, &qbuf, &rbuf)) {
1244 result = NT_STATUS_UNSUCCESSFUL;
1248 if (!lsa_io_r_enum_acct_rights("", &r, &rbuf, 0)) {
1249 result = NT_STATUS_UNSUCCESSFUL;
1253 if (!NT_STATUS_IS_OK(result = r.status)) {
1263 privileges = TALLOC_ARRAY(mem_ctx, fstring, *count);
1264 names = TALLOC_ARRAY(mem_ctx, char *, *count);
1265 for ( i=0; i<*count; i++ ) {
1266 /* ensure NULL termination ... what a hack */
1267 pull_ucs2(NULL, privileges[i], r.rights.strings[i].string.buffer,
1268 sizeof(fstring), r.rights.strings[i].string.uni_str_len*2 , 0);
1270 /* now copy to the return array */
1271 names[i] = talloc_strdup( mem_ctx, privileges[i] );
1274 *priv_names = names;
1283 /* add account rights to an account. */
1285 NTSTATUS cli_lsa_add_account_rights(struct cli_state *cli, TALLOC_CTX *mem_ctx,
1286 POLICY_HND *pol, DOM_SID sid,
1287 uint32 count, const char **privs_name)
1289 prs_struct qbuf, rbuf;
1290 LSA_Q_ADD_ACCT_RIGHTS q;
1291 LSA_R_ADD_ACCT_RIGHTS r;
1296 /* Initialise parse structures */
1297 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
1298 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
1300 /* Marshall data and send request */
1301 init_q_add_acct_rights(&q, pol, &sid, count, privs_name);
1303 if (!lsa_io_q_add_acct_rights("", &q, &qbuf, 0) ||
1304 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_ADDACCTRIGHTS, &qbuf, &rbuf)) {
1305 result = NT_STATUS_UNSUCCESSFUL;
1309 /* Unmarshall response */
1311 if (!lsa_io_r_add_acct_rights("", &r, &rbuf, 0)) {
1312 result = NT_STATUS_UNSUCCESSFUL;
1316 if (!NT_STATUS_IS_OK(result = r.status)) {
1325 /* remove account rights for an account. */
1327 NTSTATUS cli_lsa_remove_account_rights(struct cli_state *cli, TALLOC_CTX *mem_ctx,
1328 POLICY_HND *pol, DOM_SID sid, BOOL removeall,
1329 uint32 count, const char **privs_name)
1331 prs_struct qbuf, rbuf;
1332 LSA_Q_REMOVE_ACCT_RIGHTS q;
1333 LSA_R_REMOVE_ACCT_RIGHTS r;
1338 /* Initialise parse structures */
1339 prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
1340 prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
1342 /* Marshall data and send request */
1343 init_q_remove_acct_rights(&q, pol, &sid, removeall?1:0, count, privs_name);
1345 if (!lsa_io_q_remove_acct_rights("", &q, &qbuf, 0) ||
1346 !rpc_api_pipe_req(cli, PI_LSARPC, LSA_REMOVEACCTRIGHTS, &qbuf, &rbuf)) {
1347 result = NT_STATUS_UNSUCCESSFUL;
1351 /* Unmarshall response */
1353 if (!lsa_io_r_remove_acct_rights("", &r, &rbuf, 0)) {
1354 result = NT_STATUS_UNSUCCESSFUL;
1358 if (!NT_STATUS_IS_OK(result = r.status)) {
1369 /** An example of how to use the routines in this file. Fetch a DOMAIN
1370 sid. Does complete cli setup / teardown anonymously. */
1372 BOOL fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
1374 extern pstring global_myname;
1375 struct cli_state cli;
1381 if(cli_initialise(&cli) == False) {
1382 DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
1386 if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
1387 DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
1391 if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
1392 DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
1393 machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1397 if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) {
1398 DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
1403 cli.protocol = PROTOCOL_NT1;
1405 if (!cli_negprot(&cli)) {
1406 DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
1407 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1411 if (cli.protocol != PROTOCOL_NT1) {
1412 DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
1418 * Do an anonymous session setup.
1421 if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
1422 DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
1423 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1427 if (!(cli.sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
1428 DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
1433 if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
1434 DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
1435 Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
1439 /* Fetch domain sid */
1441 if (!cli_nt_session_open(&cli, PI_LSARPC)) {
1442 DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
1446 result = cli_lsa_open_policy(&cli, cli.mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
1447 if (!NT_STATUS_IS_OK(result)) {
1448 DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
1449 nt_errstr(result) ));
1453 result = cli_lsa_query_info_policy(&cli, cli.mem_ctx, &lsa_pol, 5, domain, psid);
1454 if (!NT_STATUS_IS_OK(result)) {
1455 DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
1456 nt_errstr(result) ));
git.samba.org / samba.git / blob