2008-05-08 13:23:38 +04:00
/*
Samba Unix / Linux SMB client library
Distributed SMB / CIFS Server Management Utility
2005-01-18 17:46:24 +03:00
Copyright ( C ) Gerald ( Jerry ) Carter 2004
2008-02-27 21:38:48 +03:00
Copyright ( C ) Guenther Deschner 2008
2005-01-18 17:46:24 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
2005-01-18 17:46:24 +03:00
( at your option ) any later version .
2008-05-08 13:23:38 +04:00
2005-01-18 17:46:24 +03:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2008-05-08 13:23:38 +04:00
2005-01-18 17:46:24 +03:00
You should have received a copy of the GNU General Public License
2008-05-10 01:22:12 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
2005-01-18 17:46:24 +03:00
# include "includes.h"
# include "utils/net.h"
2011-04-13 16:32:16 +04:00
# include "rpc_client/rpc_client.h"
2011-01-18 18:46:39 +03:00
# include "../librpc/gen_ndr/ndr_lsa_c.h"
2010-05-18 20:26:16 +04:00
# include "rpc_client/cli_lsarpc.h"
2010-08-20 01:15:22 +04:00
# include "rpc_client/init_lsa.h"
2010-10-12 08:27:50 +04:00
# include "../libcli/security/security.h"
2005-01-18 17:46:24 +03:00
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
static NTSTATUS sid_to_name ( struct rpc_pipe_client * pipe_hnd ,
TALLOC_CTX * mem_ctx ,
2010-05-21 05:25:01 +04:00
struct dom_sid * sid ,
2005-09-30 21:13:37 +04:00
fstring name )
2005-01-19 19:52:19 +03:00
{
2009-03-19 00:49:41 +03:00
struct policy_handle pol ;
2008-01-12 10:41:17 +03:00
enum lsa_SidType * sid_types = NULL ;
2011-01-18 18:46:39 +03:00
NTSTATUS status , result ;
2008-01-12 10:41:17 +03:00
char * * domains = NULL , * * names = NULL ;
2011-01-18 18:46:39 +03:00
struct dcerpc_binding_handle * b = pipe_hnd - > binding_handle ;
2005-01-19 19:52:19 +03:00
2011-01-18 18:37:05 +03:00
status = rpccli_lsa_open_policy ( pipe_hnd , mem_ctx , true ,
2009-04-15 03:12:13 +04:00
SEC_FLAG_MAXIMUM_ALLOWED , & pol ) ;
2008-05-08 13:23:38 +04:00
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2005-01-19 19:52:19 +03:00
2011-01-18 18:37:05 +03:00
status = rpccli_lsa_lookup_sids ( pipe_hnd , mem_ctx , & pol , 1 , sid , & domains , & names , & sid_types ) ;
2008-05-08 13:23:38 +04:00
2011-01-18 18:37:05 +03:00
if ( NT_STATUS_IS_OK ( status ) ) {
2005-01-19 19:52:19 +03:00
if ( * domains [ 0 ] )
fstr_sprintf ( name , " %s \\ %s " , domains [ 0 ] , names [ 0 ] ) ;
else
fstrcpy ( name , names [ 0 ] ) ;
}
2011-01-18 18:46:39 +03:00
dcerpc_lsa_Close ( b , mem_ctx , & pol , & result ) ;
2011-01-18 18:37:05 +03:00
return status ;
2005-01-19 19:52:19 +03:00
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
static NTSTATUS name_to_sid ( struct rpc_pipe_client * pipe_hnd ,
2005-01-18 21:28:34 +03:00
TALLOC_CTX * mem_ctx ,
2010-05-21 05:25:01 +04:00
struct dom_sid * sid , const char * name )
2005-01-18 21:28:34 +03:00
{
2009-03-19 00:49:41 +03:00
struct policy_handle pol ;
2006-09-08 18:28:06 +04:00
enum lsa_SidType * sid_types ;
2011-01-18 18:46:39 +03:00
NTSTATUS status , result ;
2010-05-21 05:25:01 +04:00
struct dom_sid * sids ;
2011-01-18 18:46:39 +03:00
struct dcerpc_binding_handle * b = pipe_hnd - > binding_handle ;
2005-01-18 21:28:34 +03:00
/* maybe its a raw SID */
2005-09-30 21:13:37 +04:00
if ( strncmp ( name , " S- " , 2 ) = = 0 & & string_to_sid ( sid , name ) ) {
2005-01-18 21:28:34 +03:00
return NT_STATUS_OK ;
}
2011-01-18 18:37:05 +03:00
status = rpccli_lsa_open_policy ( pipe_hnd , mem_ctx , true ,
2009-04-15 03:12:13 +04:00
SEC_FLAG_MAXIMUM_ALLOWED , & pol ) ;
2008-05-08 13:23:38 +04:00
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2005-01-18 21:28:34 +03:00
2011-01-18 18:37:05 +03:00
status = rpccli_lsa_lookup_names ( pipe_hnd , mem_ctx , & pol , 1 , & name ,
2007-06-27 15:42:17 +04:00
NULL , 1 , & sids , & sid_types ) ;
2008-05-08 13:23:38 +04:00
2011-01-18 18:37:05 +03:00
if ( NT_STATUS_IS_OK ( status ) )
2005-01-19 19:52:19 +03:00
sid_copy ( sid , & sids [ 0 ] ) ;
2005-01-18 21:28:34 +03:00
2011-01-18 18:46:39 +03:00
dcerpc_lsa_Close ( b , mem_ctx , & pol , & result ) ;
2011-01-18 18:37:05 +03:00
return status ;
2005-01-18 21:28:34 +03:00
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
static NTSTATUS enum_privileges ( struct rpc_pipe_client * pipe_hnd ,
TALLOC_CTX * ctx ,
2009-03-19 00:49:41 +03:00
struct policy_handle * pol )
2005-01-18 21:28:34 +03:00
{
2011-01-18 18:46:39 +03:00
NTSTATUS status , result ;
2005-01-18 21:28:34 +03:00
uint32 enum_context = 0 ;
uint32 pref_max_length = 0x1000 ;
int i ;
uint16 lang_id = 0 ;
uint16 lang_id_sys = 0 ;
uint16 lang_id_desc ;
2008-02-11 14:17:27 +03:00
struct lsa_StringLarge * description = NULL ;
2008-02-11 12:33:31 +03:00
struct lsa_PrivArray priv_array ;
2011-01-18 18:46:39 +03:00
struct dcerpc_binding_handle * b = pipe_hnd - > binding_handle ;
2005-01-18 21:28:34 +03:00
2011-01-18 18:46:39 +03:00
status = dcerpc_lsa_EnumPrivs ( b , ctx ,
2008-02-11 12:33:31 +03:00
pol ,
& enum_context ,
& priv_array ,
2011-01-18 18:46:39 +03:00
pref_max_length ,
& result ) ;
2005-01-18 21:28:34 +03:00
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2011-01-18 18:46:39 +03:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
return result ;
}
2005-01-18 21:28:34 +03:00
/* Print results */
2008-02-11 12:33:31 +03:00
for ( i = 0 ; i < priv_array . count ; i + + ) {
2008-02-11 14:17:27 +03:00
struct lsa_String lsa_name ;
2008-02-11 12:33:31 +03:00
d_printf ( " %30s " ,
priv_array . privs [ i ] . name . string ? priv_array . privs [ i ] . name . string : " *unknown* " ) ;
2005-01-18 21:28:34 +03:00
/* try to get the description */
2008-02-11 14:17:27 +03:00
init_lsa_String ( & lsa_name , priv_array . privs [ i ] . name . string ) ;
2011-01-18 18:46:39 +03:00
status = dcerpc_lsa_LookupPrivDisplayName ( b , ctx ,
2008-02-11 14:17:27 +03:00
pol ,
& lsa_name ,
lang_id ,
lang_id_sys ,
& description ,
2011-01-18 18:46:39 +03:00
& lang_id_desc ,
& result ) ;
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-01-18 21:28:34 +03:00
d_printf ( " ?????? \n " ) ;
continue ;
}
2011-01-18 18:46:39 +03:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
d_printf ( " ?????? \n " ) ;
continue ;
}
2008-02-11 14:17:27 +03:00
d_printf ( " %s \n " , description - > string ) ;
2005-01-18 21:28:34 +03:00
}
return NT_STATUS_OK ;
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
static NTSTATUS check_privilege_for_user ( struct rpc_pipe_client * pipe_hnd ,
TALLOC_CTX * ctx ,
2009-03-19 00:49:41 +03:00
struct policy_handle * pol ,
2010-05-21 05:25:01 +04:00
struct dom_sid * sid ,
2005-09-30 21:13:37 +04:00
const char * right )
2005-03-20 21:01:46 +03:00
{
2011-01-18 18:46:39 +03:00
NTSTATUS status , result ;
2008-02-14 17:09:21 +03:00
struct lsa_RightSet rights ;
2005-03-20 21:01:46 +03:00
int i ;
2011-01-18 18:46:39 +03:00
struct dcerpc_binding_handle * b = pipe_hnd - > binding_handle ;
2005-03-20 21:01:46 +03:00
2011-01-18 18:46:39 +03:00
status = dcerpc_lsa_EnumAccountRights ( b , ctx ,
2008-02-14 17:09:21 +03:00
pol ,
sid ,
2011-01-18 18:46:39 +03:00
& rights ,
& result ) ;
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
2005-03-20 21:01:46 +03:00
}
2011-01-18 18:46:39 +03:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
return result ;
}
2005-03-20 21:01:46 +03:00
2008-02-14 17:09:21 +03:00
if ( rights . count = = 0 ) {
2005-03-20 21:01:46 +03:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
2008-02-14 17:09:21 +03:00
for ( i = 0 ; i < rights . count ; i + + ) {
2011-05-13 22:21:30 +04:00
if ( strcasecmp_m ( rights . names [ i ] . string , right ) = = 0 ) {
2005-03-20 21:01:46 +03:00
return NT_STATUS_OK ;
}
}
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
static NTSTATUS enum_privileges_for_user ( struct rpc_pipe_client * pipe_hnd ,
TALLOC_CTX * ctx ,
2009-03-19 00:49:41 +03:00
struct policy_handle * pol ,
2010-05-21 05:25:01 +04:00
struct dom_sid * sid )
2005-01-18 21:28:34 +03:00
{
2011-01-18 18:46:39 +03:00
NTSTATUS status , result ;
2008-02-14 17:09:21 +03:00
struct lsa_RightSet rights ;
2005-01-18 21:28:34 +03:00
int i ;
2011-01-18 18:46:39 +03:00
struct dcerpc_binding_handle * b = pipe_hnd - > binding_handle ;
2005-01-18 21:28:34 +03:00
2011-01-18 18:46:39 +03:00
status = dcerpc_lsa_EnumAccountRights ( b , ctx ,
2008-02-14 17:09:21 +03:00
pol ,
sid ,
2011-01-18 18:46:39 +03:00
& rights ,
& result ) ;
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2011-01-18 18:46:39 +03:00
if ( ! NT_STATUS_IS_OK ( result ) )
return result ;
2005-01-18 23:51:06 +03:00
2008-02-14 17:09:21 +03:00
if ( rights . count = = 0 ) {
2009-08-10 20:52:24 +04:00
d_printf ( _ ( " No privileges assigned \n " ) ) ;
2008-02-14 17:09:21 +03:00
}
for ( i = 0 ; i < rights . count ; i + + ) {
printf ( " %s \n " , rights . names [ i ] . string ) ;
2005-01-18 23:51:06 +03:00
}
return NT_STATUS_OK ;
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
static NTSTATUS enum_accounts_for_privilege ( struct rpc_pipe_client * pipe_hnd ,
TALLOC_CTX * ctx ,
2009-03-19 00:49:41 +03:00
struct policy_handle * pol ,
2005-09-30 21:13:37 +04:00
const char * privilege )
2005-03-20 21:01:46 +03:00
{
2011-01-18 18:46:39 +03:00
NTSTATUS status , result ;
2005-03-20 21:01:46 +03:00
uint32 enum_context = 0 ;
uint32 pref_max_length = 0x1000 ;
2008-02-14 03:32:56 +03:00
struct lsa_SidArray sid_array ;
2005-03-20 21:01:46 +03:00
int i ;
fstring name ;
2011-01-18 18:46:39 +03:00
struct dcerpc_binding_handle * b = pipe_hnd - > binding_handle ;
2005-03-20 21:01:46 +03:00
2011-01-18 18:46:39 +03:00
status = dcerpc_lsa_EnumAccounts ( b , ctx ,
2008-02-14 03:32:56 +03:00
pol ,
& enum_context ,
& sid_array ,
2011-01-18 18:46:39 +03:00
pref_max_length ,
& result ) ;
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2011-01-18 18:46:39 +03:00
if ( ! NT_STATUS_IS_OK ( result ) )
return result ;
2008-05-08 13:23:38 +04:00
2005-03-20 21:01:46 +03:00
d_printf ( " %s: \n " , privilege ) ;
2008-02-14 03:32:56 +03:00
for ( i = 0 ; i < sid_array . num_sids ; i + + ) {
2011-01-18 18:37:05 +03:00
status = check_privilege_for_user ( pipe_hnd , ctx , pol ,
2008-02-14 03:32:56 +03:00
sid_array . sids [ i ] . sid ,
privilege ) ;
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
if ( ! NT_STATUS_EQUAL ( status , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ) {
return status ;
2005-03-20 21:01:46 +03:00
}
continue ;
}
2008-05-08 13:23:38 +04:00
/* try to convert the SID to a name. Fall back to
2005-03-20 21:01:46 +03:00
printing the raw SID if necessary */
2011-01-18 18:37:05 +03:00
status = sid_to_name ( pipe_hnd , ctx , sid_array . sids [ i ] . sid , name ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
2008-02-14 03:32:56 +03:00
sid_to_fstring ( name , sid_array . sids [ i ] . sid ) ;
2007-12-15 23:11:36 +03:00
2005-03-20 21:01:46 +03:00
d_printf ( " %s \n " , name ) ;
}
return NT_STATUS_OK ;
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
static NTSTATUS enum_privileges_for_accounts ( struct rpc_pipe_client * pipe_hnd ,
TALLOC_CTX * ctx ,
2009-03-19 00:49:41 +03:00
struct policy_handle * pol )
2005-01-18 23:51:06 +03:00
{
2011-01-18 18:46:39 +03:00
NTSTATUS status , result ;
2005-01-18 23:51:06 +03:00
uint32 enum_context = 0 ;
uint32 pref_max_length = 0x1000 ;
2008-02-14 03:32:56 +03:00
struct lsa_SidArray sid_array ;
2005-01-18 23:51:06 +03:00
int i ;
2005-01-19 19:52:19 +03:00
fstring name ;
2011-01-18 18:46:39 +03:00
struct dcerpc_binding_handle * b = pipe_hnd - > binding_handle ;
2005-01-18 23:51:06 +03:00
2011-01-18 18:46:39 +03:00
status = dcerpc_lsa_EnumAccounts ( b , ctx ,
2008-02-14 03:32:56 +03:00
pol ,
& enum_context ,
& sid_array ,
2011-01-18 18:46:39 +03:00
pref_max_length ,
& result ) ;
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2011-01-18 18:46:39 +03:00
if ( ! NT_STATUS_IS_OK ( result ) )
return result ;
2008-02-14 03:32:56 +03:00
for ( i = 0 ; i < sid_array . num_sids ; i + + ) {
2008-05-08 13:23:38 +04:00
/* try to convert the SID to a name. Fall back to
2005-01-19 19:52:19 +03:00
printing the raw SID if necessary */
2008-02-14 03:32:56 +03:00
2011-01-18 18:37:05 +03:00
status = sid_to_name ( pipe_hnd , ctx , sid_array . sids [ i ] . sid , name ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
2008-02-14 03:32:56 +03:00
sid_to_fstring ( name , sid_array . sids [ i ] . sid ) ;
2005-01-19 19:52:19 +03:00
d_printf ( " %s \n " , name ) ;
2008-02-14 03:32:56 +03:00
2011-01-18 18:37:05 +03:00
status = enum_privileges_for_user ( pipe_hnd , ctx , pol ,
2008-02-14 03:32:56 +03:00
sid_array . sids [ i ] . sid ) ;
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2005-01-18 23:51:06 +03:00
d_printf ( " \n " ) ;
2005-01-18 21:28:34 +03:00
}
return NT_STATUS_OK ;
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-05-10 01:22:12 +04:00
static NTSTATUS rpc_rights_list_internal ( struct net_context * c ,
2010-05-21 05:25:01 +04:00
const struct dom_sid * domain_sid ,
2008-05-08 13:23:38 +04:00
const char * domain_name ,
2005-09-30 21:13:37 +04:00
struct cli_state * cli ,
struct rpc_pipe_client * pipe_hnd ,
2008-05-08 13:23:38 +04:00
TALLOC_CTX * mem_ctx ,
2005-09-30 21:13:37 +04:00
int argc ,
const char * * argv )
2005-01-18 17:46:24 +03:00
{
2009-03-19 00:49:41 +03:00
struct policy_handle pol ;
2011-01-18 18:46:39 +03:00
NTSTATUS status , result ;
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
2005-03-26 09:52:56 +03:00
fstring privname ;
2008-02-11 14:17:27 +03:00
struct lsa_String lsa_name ;
struct lsa_StringLarge * description = NULL ;
2005-03-26 09:52:56 +03:00
uint16 lang_id = 0 ;
uint16 lang_id_sys = 0 ;
uint16 lang_id_desc ;
2011-01-18 18:46:39 +03:00
struct dcerpc_binding_handle * b = pipe_hnd - > binding_handle ;
2008-05-08 13:23:38 +04:00
2011-01-18 18:37:05 +03:00
status = rpccli_lsa_open_policy ( pipe_hnd , mem_ctx , true ,
2009-04-15 03:12:13 +04:00
SEC_FLAG_MAXIMUM_ALLOWED , & pol ) ;
2005-01-18 21:28:34 +03:00
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2008-05-08 13:23:38 +04:00
2005-03-26 09:52:56 +03:00
/* backwards compatibility; just list available privileges if no arguement */
2008-05-08 13:23:38 +04:00
2005-03-20 21:01:46 +03:00
if ( argc = = 0 ) {
2011-01-18 18:37:05 +03:00
status = enum_privileges ( pipe_hnd , mem_ctx , & pol ) ;
2005-03-20 21:01:46 +03:00
goto done ;
}
2005-01-18 21:28:34 +03:00
2005-03-20 21:01:46 +03:00
if ( strequal ( argv [ 0 ] , " privileges " ) ) {
int i = 1 ;
if ( argv [ 1 ] = = NULL ) {
2011-01-18 18:37:05 +03:00
status = enum_privileges ( pipe_hnd , mem_ctx , & pol ) ;
2005-03-20 21:01:46 +03:00
goto done ;
2005-01-18 23:51:06 +03:00
}
2005-03-20 21:01:46 +03:00
2005-09-30 21:13:37 +04:00
while ( argv [ i ] ! = NULL ) {
2008-02-11 14:17:27 +03:00
fstrcpy ( privname , argv [ i ] ) ;
init_lsa_String ( & lsa_name , argv [ i ] ) ;
2005-03-26 09:52:56 +03:00
i + + ;
2008-05-08 13:23:38 +04:00
2005-03-26 09:52:56 +03:00
/* verify that this is a valid privilege for error reporting */
2011-01-18 18:46:39 +03:00
status = dcerpc_lsa_LookupPrivDisplayName ( b , mem_ctx ,
2008-02-11 14:17:27 +03:00
& pol ,
& lsa_name ,
lang_id ,
lang_id_sys ,
& description ,
2011-01-18 18:46:39 +03:00
& lang_id_desc ,
& result ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
continue ;
}
status = result ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
if ( NT_STATUS_EQUAL ( result , NT_STATUS_NO_SUCH_PRIVILEGE ) )
2009-08-10 20:52:24 +04:00
d_fprintf ( stderr , _ ( " No such privilege "
" exists: %s. \n " ) , privname ) ;
2005-03-26 09:52:56 +03:00
else
2009-08-10 20:52:24 +04:00
d_fprintf ( stderr , _ ( " Error resolving "
" privilege display name "
" [%s]. \n " ) ,
2011-01-18 18:46:39 +03:00
nt_errstr ( result ) ) ;
2005-03-26 09:52:56 +03:00
continue ;
}
2008-05-08 13:23:38 +04:00
2011-01-18 18:37:05 +03:00
status = enum_accounts_for_privilege ( pipe_hnd , mem_ctx , & pol , privname ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-08-10 20:52:24 +04:00
d_fprintf ( stderr , _ ( " Error enumerating "
" accounts for privilege %s [%s]. \n " ) ,
2011-01-18 18:37:05 +03:00
privname , nt_errstr ( status ) ) ;
2005-03-26 09:52:56 +03:00
continue ;
2005-03-20 21:01:46 +03:00
}
2005-01-18 21:28:34 +03:00
}
2005-03-20 21:01:46 +03:00
goto done ;
2005-01-18 21:28:34 +03:00
}
2005-03-26 09:52:56 +03:00
/* special case to enumerate all privileged SIDs with associated rights */
2008-05-08 13:23:38 +04:00
2005-03-20 21:01:46 +03:00
if ( strequal ( argv [ 0 ] , " accounts " ) ) {
int i = 1 ;
if ( argv [ 1 ] = = NULL ) {
2011-01-18 18:37:05 +03:00
status = enum_privileges_for_accounts ( pipe_hnd , mem_ctx , & pol ) ;
2005-03-20 21:01:46 +03:00
goto done ;
}
2005-01-18 21:28:34 +03:00
2005-03-20 21:01:46 +03:00
while ( argv [ i ] ! = NULL ) {
2011-01-18 18:37:05 +03:00
status = name_to_sid ( pipe_hnd , mem_ctx , & sid , argv [ i ] ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-03-20 21:01:46 +03:00
goto done ;
}
2011-01-18 18:37:05 +03:00
status = enum_privileges_for_user ( pipe_hnd , mem_ctx , & pol , & sid ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-03-20 21:01:46 +03:00
goto done ;
}
i + + ;
}
goto done ;
}
/* backward comaptibility: if no keyword provided, treat the key
as an account name */
if ( argc > 1 ) {
2010-01-19 13:43:54 +03:00
d_printf ( " %s net rpc rights list [[accounts|privileges] "
" [name|SID]] \n " , _ ( " Usage: " ) ) ;
2011-01-18 18:37:05 +03:00
status = NT_STATUS_OK ;
2005-03-20 21:01:46 +03:00
goto done ;
}
2011-01-18 18:37:05 +03:00
status = name_to_sid ( pipe_hnd , mem_ctx , & sid , argv [ 0 ] ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-03-20 21:01:46 +03:00
goto done ;
}
2011-01-18 18:37:05 +03:00
status = enum_privileges_for_user ( pipe_hnd , mem_ctx , & pol , & sid ) ;
2005-01-18 21:28:34 +03:00
done :
2011-01-18 18:46:39 +03:00
dcerpc_lsa_Close ( b , mem_ctx , & pol , & result ) ;
2005-01-18 21:28:34 +03:00
2011-01-18 18:37:05 +03:00
return status ;
2005-01-18 17:46:24 +03:00
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-05-10 01:22:12 +04:00
static NTSTATUS rpc_rights_grant_internal ( struct net_context * c ,
2010-05-21 05:25:01 +04:00
const struct dom_sid * domain_sid ,
2008-05-08 13:23:38 +04:00
const char * domain_name ,
2005-09-30 21:13:37 +04:00
struct cli_state * cli ,
struct rpc_pipe_client * pipe_hnd ,
2008-05-08 13:23:38 +04:00
TALLOC_CTX * mem_ctx ,
2005-09-30 21:13:37 +04:00
int argc ,
const char * * argv )
2005-01-18 17:46:24 +03:00
{
2009-03-19 00:49:41 +03:00
struct policy_handle dom_pol ;
2011-01-18 18:46:39 +03:00
NTSTATUS status , result ;
2008-02-14 16:34:10 +03:00
struct lsa_RightSet rights ;
int i ;
2011-01-18 18:46:39 +03:00
struct dcerpc_binding_handle * b = pipe_hnd - > binding_handle ;
2005-01-18 21:28:34 +03:00
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
2005-01-18 21:28:34 +03:00
if ( argc < 2 ) {
2010-01-19 13:43:54 +03:00
d_printf ( " %s \n %s " ,
_ ( " Usage: " ) ,
_ ( " net rpc rights grant <name|SID> <rights...> \n " ) ) ;
2005-01-18 21:28:34 +03:00
return NT_STATUS_OK ;
}
2011-01-18 18:37:05 +03:00
status = name_to_sid ( pipe_hnd , mem_ctx , & sid , argv [ 0 ] ) ;
if ( NT_STATUS_EQUAL ( status , NT_STATUS_NONE_MAPPED ) )
status = NT_STATUS_NO_SUCH_USER ;
2009-01-09 18:52:12 +03:00
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
2009-01-09 18:52:12 +03:00
goto done ;
2005-01-18 21:28:34 +03:00
2011-01-18 18:37:05 +03:00
status = rpccli_lsa_open_policy2 ( pipe_hnd , mem_ctx , true ,
2009-04-15 03:12:13 +04:00
SEC_FLAG_MAXIMUM_ALLOWED ,
2005-01-18 21:28:34 +03:00
& dom_pol ) ;
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2005-01-18 21:28:34 +03:00
2008-02-14 16:34:10 +03:00
rights . count = argc - 1 ;
2011-06-07 05:30:12 +04:00
rights . names = talloc_array ( mem_ctx , struct lsa_StringLarge ,
2008-02-14 16:34:10 +03:00
rights . count ) ;
if ( ! rights . names ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < argc - 1 ; i + + ) {
init_lsa_StringLarge ( & rights . names [ i ] , argv [ i + 1 ] ) ;
}
2011-01-18 18:46:39 +03:00
status = dcerpc_lsa_AddAccountRights ( b , mem_ctx ,
2008-02-14 16:34:10 +03:00
& dom_pol ,
& sid ,
2011-01-18 18:46:39 +03:00
& rights ,
& result ) ;
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
2005-01-18 21:28:34 +03:00
goto done ;
2011-01-18 18:46:39 +03:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
status = result ;
goto done ;
}
2008-05-08 13:23:38 +04:00
2009-08-10 20:52:24 +04:00
d_printf ( _ ( " Successfully granted rights. \n " ) ) ;
2005-01-18 21:28:34 +03:00
done :
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-08-10 20:52:24 +04:00
d_fprintf ( stderr , _ ( " Failed to grant privileges for %s (%s) \n " ) ,
2011-01-18 18:37:05 +03:00
argv [ 0 ] , nt_errstr ( status ) ) ;
2005-01-18 21:28:34 +03:00
}
2008-05-08 13:23:38 +04:00
2011-01-18 18:46:39 +03:00
dcerpc_lsa_Close ( b , mem_ctx , & dom_pol , & result ) ;
2008-05-08 13:23:38 +04:00
2011-01-18 18:37:05 +03:00
return status ;
2005-01-18 17:46:24 +03:00
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-05-10 01:22:12 +04:00
static NTSTATUS rpc_rights_revoke_internal ( struct net_context * c ,
2010-05-21 05:25:01 +04:00
const struct dom_sid * domain_sid ,
2008-05-08 13:23:38 +04:00
const char * domain_name ,
2005-09-30 21:13:37 +04:00
struct cli_state * cli ,
struct rpc_pipe_client * pipe_hnd ,
2008-05-08 13:23:38 +04:00
TALLOC_CTX * mem_ctx ,
2005-09-30 21:13:37 +04:00
int argc ,
const char * * argv )
2005-01-18 17:46:24 +03:00
{
2009-03-19 00:49:41 +03:00
struct policy_handle dom_pol ;
2011-01-18 18:46:39 +03:00
NTSTATUS status , result ;
2008-02-14 17:28:26 +03:00
struct lsa_RightSet rights ;
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
2008-02-14 17:28:26 +03:00
int i ;
2011-01-18 18:46:39 +03:00
struct dcerpc_binding_handle * b = pipe_hnd - > binding_handle ;
2005-01-18 21:28:34 +03:00
if ( argc < 2 ) {
2010-01-19 13:43:54 +03:00
d_printf ( " %s \n %s " ,
_ ( " Usage: " ) ,
_ ( " net rpc rights revoke <name|SID> <rights...> \n " ) ) ;
2005-01-18 21:28:34 +03:00
return NT_STATUS_OK ;
}
2011-01-18 18:37:05 +03:00
status = name_to_sid ( pipe_hnd , mem_ctx , & sid , argv [ 0 ] ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2005-01-18 21:28:34 +03:00
2011-01-18 18:37:05 +03:00
status = rpccli_lsa_open_policy2 ( pipe_hnd , mem_ctx , true ,
2009-04-15 03:12:13 +04:00
SEC_FLAG_MAXIMUM_ALLOWED ,
2005-01-18 21:28:34 +03:00
& dom_pol ) ;
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
return status ;
2005-01-18 21:28:34 +03:00
2008-02-14 17:28:26 +03:00
rights . count = argc - 1 ;
2011-06-07 05:30:12 +04:00
rights . names = talloc_array ( mem_ctx , struct lsa_StringLarge ,
2008-02-14 17:28:26 +03:00
rights . count ) ;
if ( ! rights . names ) {
return NT_STATUS_NO_MEMORY ;
}
for ( i = 0 ; i < argc - 1 ; i + + ) {
init_lsa_StringLarge ( & rights . names [ i ] , argv [ i + 1 ] ) ;
}
2011-01-18 18:46:39 +03:00
status = dcerpc_lsa_RemoveAccountRights ( b , mem_ctx ,
2008-02-14 17:28:26 +03:00
& dom_pol ,
& sid ,
false ,
2011-01-18 18:46:39 +03:00
& rights ,
& result ) ;
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) )
2005-01-18 21:28:34 +03:00
goto done ;
2011-01-18 18:46:39 +03:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
status = result ;
goto done ;
}
2005-01-18 21:28:34 +03:00
2009-08-10 20:52:24 +04:00
d_printf ( _ ( " Successfully revoked rights. \n " ) ) ;
2005-01-18 21:28:34 +03:00
done :
2011-01-18 18:37:05 +03:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-08-10 20:52:24 +04:00
d_fprintf ( stderr , _ ( " Failed to revoke privileges for %s (%s) \n " ) ,
2011-01-18 18:37:05 +03:00
argv [ 0 ] , nt_errstr ( status ) ) ;
2005-01-18 21:28:34 +03:00
}
2008-05-08 13:23:38 +04:00
2011-01-18 18:46:39 +03:00
dcerpc_lsa_Close ( b , mem_ctx , & dom_pol , & result ) ;
2005-01-18 21:28:34 +03:00
2011-01-18 18:37:05 +03:00
return status ;
2008-05-08 13:23:38 +04:00
}
2005-01-18 21:28:34 +03:00
2005-01-18 17:46:24 +03:00
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-05-10 01:22:12 +04:00
static int rpc_rights_list ( struct net_context * c , int argc , const char * * argv )
2005-01-18 17:46:24 +03:00
{
2008-05-21 12:34:34 +04:00
if ( c - > display_usage ) {
2010-01-19 13:43:54 +03:00
d_printf ( " %s \n %s " ,
_ ( " Usage: " ) ,
_ ( " net rpc rights list [{accounts|privileges} "
2009-08-10 20:52:24 +04:00
" [name|SID]] \n "
" View available/assigned privileges \n " ) ) ;
2008-05-21 12:34:34 +04:00
return 0 ;
}
2009-11-08 21:37:26 +03:00
return run_rpc_command ( c , NULL , & ndr_table_lsarpc . syntax_id , 0 ,
rpc_rights_list_internal , argc , argv ) ;
2005-01-18 17:46:24 +03:00
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-05-10 01:22:12 +04:00
static int rpc_rights_grant ( struct net_context * c , int argc , const char * * argv )
2005-01-18 17:46:24 +03:00
{
2008-05-21 12:34:34 +04:00
if ( c - > display_usage ) {
2010-01-19 13:43:54 +03:00
d_printf ( " %s \n %s " ,
_ ( " Usage: " ) ,
_ ( " net rpc rights grant <name|SID> <right> \n "
2009-08-10 20:52:24 +04:00
" Assign privilege[s] \n " ) ) ;
d_printf ( _ ( " For example: \n "
" net rpc rights grant 'VALE \\ biddle' "
" SePrintOperatorPrivilege SeDiskOperatorPrivilege \n "
" would grant the printer admin and disk manager "
" rights to the user 'VALE \\ biddle' \n " ) ) ;
2008-05-21 12:34:34 +04:00
return 0 ;
}
2009-11-08 21:37:26 +03:00
return run_rpc_command ( c , NULL , & ndr_table_lsarpc . syntax_id , 0 ,
rpc_rights_grant_internal , argc , argv ) ;
2005-01-18 17:46:24 +03:00
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-05-10 01:22:12 +04:00
static int rpc_rights_revoke ( struct net_context * c , int argc , const char * * argv )
2005-01-18 17:46:24 +03:00
{
2008-05-21 12:34:34 +04:00
if ( c - > display_usage ) {
2010-01-19 13:43:54 +03:00
d_printf ( " %s \n %s " ,
_ ( " Usage: " ) ,
_ ( " net rpc rights revoke <name|SID> <right> \n "
2009-08-10 20:52:24 +04:00
" Revoke privilege[s] \n " ) ) ;
d_printf ( _ ( " For example: \n "
" net rpc rights revoke 'VALE \\ biddle' "
" SePrintOperatorPrivilege SeDiskOperatorPrivilege \n "
" would revoke the printer admin and disk manager "
" rights from the user 'VALE \\ biddle' \n " ) ) ;
2008-05-21 12:34:34 +04:00
return 0 ;
}
2009-11-08 21:37:26 +03:00
return run_rpc_command ( c , NULL , & ndr_table_lsarpc . syntax_id , 0 ,
rpc_rights_revoke_internal , argc , argv ) ;
2005-01-18 17:46:24 +03:00
}
/********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-05-10 01:22:12 +04:00
int net_rpc_rights ( struct net_context * c , int argc , const char * * argv )
2005-01-18 17:46:24 +03:00
{
2008-06-07 04:25:08 +04:00
struct functable func [ ] = {
2008-05-21 12:34:34 +04:00
{
" list " ,
rpc_rights_list ,
NET_TRANSPORT_RPC ,
2009-08-10 20:52:24 +04:00
N_ ( " View available/assigned privileges " ) ,
N_ ( " net rpc rights list \n "
" View available/assigned privileges " )
2008-05-21 12:34:34 +04:00
} ,
{
" grant " ,
rpc_rights_grant ,
NET_TRANSPORT_RPC ,
2009-08-10 20:52:24 +04:00
N_ ( " Assign privilege[s] " ) ,
N_ ( " net rpc rights grant \n "
" Assign privilege[s] " )
2008-05-21 12:34:34 +04:00
} ,
{
" revoke " ,
rpc_rights_revoke ,
NET_TRANSPORT_RPC ,
2009-08-10 20:52:24 +04:00
N_ ( " Revoke privilege[s] " ) ,
N_ ( " net rpc rights revoke \n "
" Revoke privilege[s] " )
2008-05-21 12:34:34 +04:00
} ,
{ NULL , NULL , 0 , NULL , NULL }
2005-01-18 17:46:24 +03:00
} ;
2008-05-08 13:23:38 +04:00
2008-06-07 04:25:08 +04:00
return net_run_function ( c , argc , argv , " net rpc rights " , func ) ;
2005-01-18 17:46:24 +03:00
}
2006-02-04 01:19:41 +03:00
2008-05-10 01:22:12 +04:00
static NTSTATUS rpc_sh_rights_list ( struct net_context * c ,
TALLOC_CTX * mem_ctx , struct rpc_sh_ctx * ctx ,
2006-02-04 01:19:41 +03:00
struct rpc_pipe_client * pipe_hnd ,
int argc , const char * * argv )
{
2008-05-10 01:22:12 +04:00
return rpc_rights_list_internal ( c , ctx - > domain_sid , ctx - > domain_name ,
2006-02-04 01:19:41 +03:00
ctx - > cli , pipe_hnd , mem_ctx ,
argc , argv ) ;
}
2008-05-10 01:22:12 +04:00
static NTSTATUS rpc_sh_rights_grant ( struct net_context * c ,
TALLOC_CTX * mem_ctx ,
2006-02-04 01:19:41 +03:00
struct rpc_sh_ctx * ctx ,
struct rpc_pipe_client * pipe_hnd ,
int argc , const char * * argv )
{
2008-05-10 01:22:12 +04:00
return rpc_rights_grant_internal ( c , ctx - > domain_sid , ctx - > domain_name ,
2006-02-04 01:19:41 +03:00
ctx - > cli , pipe_hnd , mem_ctx ,
argc , argv ) ;
}
2008-05-10 01:22:12 +04:00
static NTSTATUS rpc_sh_rights_revoke ( struct net_context * c ,
TALLOC_CTX * mem_ctx ,
2006-02-04 01:19:41 +03:00
struct rpc_sh_ctx * ctx ,
struct rpc_pipe_client * pipe_hnd ,
int argc , const char * * argv )
{
2008-05-10 01:22:12 +04:00
return rpc_rights_revoke_internal ( c , ctx - > domain_sid , ctx - > domain_name ,
2006-02-04 01:19:41 +03:00
ctx - > cli , pipe_hnd , mem_ctx ,
argc , argv ) ;
}
2008-05-10 01:22:12 +04:00
struct rpc_sh_cmd * net_rpc_rights_cmds ( struct net_context * c , TALLOC_CTX * mem_ctx ,
2006-02-04 01:19:41 +03:00
struct rpc_sh_ctx * ctx )
{
static struct rpc_sh_cmd cmds [ ] = {
2009-11-08 21:37:26 +03:00
{ " list " , NULL , & ndr_table_lsarpc . syntax_id , rpc_sh_rights_list ,
N_ ( " View available or assigned privileges " ) } ,
2006-02-04 01:19:41 +03:00
2009-11-08 21:37:26 +03:00
{ " grant " , NULL , & ndr_table_lsarpc . syntax_id , rpc_sh_rights_grant ,
N_ ( " Assign privilege[s] " ) } ,
2006-02-04 01:19:41 +03:00
2009-11-08 21:37:26 +03:00
{ " revoke " , NULL , & ndr_table_lsarpc . syntax_id , rpc_sh_rights_revoke ,
N_ ( " Revoke privilege[s] " ) } ,
2006-02-04 01:19:41 +03:00
2009-11-08 21:37:26 +03:00
{ NULL , NULL , 0 , NULL , NULL }
2006-02-04 01:19:41 +03:00
} ;
return cmds ;
2006-05-17 15:14:26 +04:00
}
2006-02-04 01:19:41 +03:00