static NTSTATUS cmd_lsa_delete_secret(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
NTSTATUS status;
struct policy_handle handle, sec_handle;
struct lsa_String name;
if (argc < 2) {
printf("Usage: %s name\n", argv[0]);
return NT_STATUS_OK;
}
status = rpccli_lsa_open_policy2(cli, mem_ctx,
true,
SEC_FLAG_MAXIMUM_ALLOWED,
&handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
init_lsa_String(&name, argv[1]);
status = rpccli_lsa_OpenSecret(cli, mem_ctx,
&handle,
name,
SEC_FLAG_MAXIMUM_ALLOWED,
&sec_handle);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = rpccli_lsa_DeleteObject(cli, mem_ctx,
&sec_handle);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
done:
if (is_valid_policy_hnd(&sec_handle)) {
rpccli_lsa_Close(cli, mem_ctx, &sec_handle);
}
if (is_valid_policy_hnd(&handle)) {
rpccli_lsa_Close(cli, mem_ctx, &handle);
}
return status;
}
/* useful function to allow entering a name instead of a SID and
* looking it up automatically */
static NTSTATUS name_to_sid(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
DOM_SID *sid, const char *name)
{
struct policy_handle pol;
enum lsa_SidType *sid_types;
NTSTATUS result;
DOM_SID *sids;
/* maybe its a raw SID */
if (strncmp(name, "S-", 2) == 0 &&
string_to_sid(sid, name)) {
return NT_STATUS_OK;
}
result = rpccli_lsa_open_policy(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_lookup_names(cli, mem_ctx, &pol, 1, &name, NULL, 1, &sids, &sid_types);
if (!NT_STATUS_IS_OK(result))
goto done;
rpccli_lsa_Close(cli, mem_ctx, &pol);
*sid = sids[0];
done:
return result;
}
NTSTATUS net_rpc_lookup_name(struct net_context *c,
TALLOC_CTX *mem_ctx, struct cli_state *cli,
const char *name, const char **ret_domain,
const char **ret_name, DOM_SID *ret_sid,
enum lsa_SidType *ret_type)
{
struct rpc_pipe_client *lsa_pipe;
POLICY_HND pol;
NTSTATUS result = NT_STATUS_OK;
const char **dom_names;
DOM_SID *sids;
enum lsa_SidType *types;
ZERO_STRUCT(pol);
result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
&lsa_pipe);
if (!NT_STATUS_IS_OK(result)) {
d_fprintf(stderr, "Could not initialise lsa pipe\n");
return result;
}
result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, false,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result)) {
d_fprintf(stderr, "open_policy failed: %s\n",
nt_errstr(result));
return result;
}
result = rpccli_lsa_lookup_names(lsa_pipe, mem_ctx, &pol, 1,
&name, &dom_names, 1, &sids, &types);
if (!NT_STATUS_IS_OK(result)) {
/* This can happen easily, don't log an error */
goto done;
}
if (ret_domain != NULL) {
*ret_domain = dom_names[0];
}
if (ret_name != NULL) {
*ret_name = talloc_strdup(mem_ctx, name);
}
if (ret_sid != NULL) {
sid_copy(ret_sid, &sids[0]);
}
if (ret_type != NULL) {
*ret_type = types[0];
}
done:
if (is_valid_policy_hnd(&pol)) {
rpccli_lsa_Close(lsa_pipe, mem_ctx, &pol);
}
TALLOC_FREE(lsa_pipe);
return result;
}
static NTSTATUS sid_to_name(struct rpc_pipe_client *pipe_hnd,
TALLOC_CTX *mem_ctx,
DOM_SID *sid,
fstring name)
{
struct policy_handle pol;
enum lsa_SidType *sid_types = NULL;
NTSTATUS result;
char **domains = NULL, **names = NULL;
result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
SEC_FLAG_MAXIMUM_ALLOWED, &pol);
if ( !NT_STATUS_IS_OK(result) )
return result;
result = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &pol, 1, sid, &domains, &names, &sid_types);
if ( NT_STATUS_IS_OK(result) ) {
if ( *domains[0] )
fstr_sprintf( name, "%s\\%s", domains[0], names[0] );
else
fstrcpy( name, names[0] );
}
rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
return result;
}
static NTSTATUS cmd_lsa_enum_privsaccounts(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle dom_pol;
struct policy_handle user_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 access_desired = 0x000f000f;
DOM_SID sid;
struct lsa_PrivilegeSet *privs = NULL;
int i;
if (argc != 2 ) {
printf("Usage: %s SID\n", argv[0]);
return NT_STATUS_OK;
}
result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&dom_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_OpenAccount(cli, mem_ctx,
&dom_pol,
&sid,
access_desired,
&user_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_EnumPrivsAccount(cli, mem_ctx,
&user_pol,
&privs);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Print results */
printf("found %d privileges for SID %s\n\n", privs->count, argv[1]);
printf("high\tlow\tattribute\n");
for (i = 0; i < privs->count; i++) {
printf("%u\t%u\t%u\n",
privs->set[i].luid.high,
privs->set[i].luid.low,
privs->set[i].attribute);
}
rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
done:
return result;
}
static NTSTATUS cmd_lsa_create_trusted_domain(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
NTSTATUS status;
struct policy_handle handle, trustdom_handle;
struct dom_sid sid;
struct lsa_DomainInfo info;
if (argc < 3) {
printf("Usage: %s name sid\n", argv[0]);
return NT_STATUS_OK;
}
status = rpccli_lsa_open_policy2(cli, mem_ctx,
true,
SEC_FLAG_MAXIMUM_ALLOWED,
&handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
init_lsa_StringLarge(&info.name, argv[1]);
info.sid = &sid;
string_to_sid(&sid, argv[2]);
status = rpccli_lsa_CreateTrustedDomain(cli, mem_ctx,
&handle,
&info,
SEC_FLAG_MAXIMUM_ALLOWED,
&trustdom_handle);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
done:
if (is_valid_policy_hnd(&trustdom_handle)) {
rpccli_lsa_Close(cli, mem_ctx, &trustdom_handle);
}
if (is_valid_policy_hnd(&handle)) {
rpccli_lsa_Close(cli, mem_ctx, &handle);
}
return status;
}
static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle pol, trustdom_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
union lsa_TrustedDomainInfo *info = NULL;
DOM_SID dom_sid;
enum lsa_TrustDomInfoEnum info_class = 1;
uint8_t nt_hash[16];
if (argc > 3 || argc < 2) {
printf("Usage: %s [sid] [info_class]\n", argv[0]);
return NT_STATUS_OK;
}
if (!string_to_sid(&dom_sid, argv[1]))
return NT_STATUS_NO_MEMORY;
if (argc == 3)
info_class = atoi(argv[2]);
result = rpccli_lsa_open_policy2(cli, mem_ctx, True, access_mask, &pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_OpenTrustedDomain(cli, mem_ctx,
&pol,
&dom_sid,
access_mask,
&trustdom_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_QueryTrustedDomainInfo(cli, mem_ctx,
&trustdom_pol,
info_class,
&info);
if (!NT_STATUS_IS_OK(result))
goto done;
if (!rpccli_get_pwd_hash(cli, nt_hash)) {
d_fprintf(stderr, "Could not get pwd hash\n");
goto done;
}
display_trust_dom_info(mem_ctx, info, info_class, nt_hash);
done:
rpccli_lsa_Close(cli, mem_ctx, &pol);
return result;
}
static NTSTATUS cmd_lsa_retrieve_private_data(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
NTSTATUS status;
struct policy_handle handle;
struct lsa_String name;
struct lsa_DATA_BUF *val;
DATA_BLOB session_key;
DATA_BLOB blob = data_blob_null;
char *secret;
if (argc < 2) {
printf("Usage: %s name\n", argv[0]);
return NT_STATUS_OK;
}
status = rpccli_lsa_open_policy2(cli, mem_ctx,
true,
SEC_FLAG_MAXIMUM_ALLOWED,
&handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
init_lsa_String(&name, argv[1]);
ZERO_STRUCT(val);
status = rpccli_lsa_RetrievePrivateData(cli, mem_ctx,
&handle,
&name,
&val);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = cli_get_session_key(mem_ctx, cli, &session_key);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (val) {
blob = data_blob_const(val->data, val->length);
}
secret = sess_decrypt_string(mem_ctx, &blob, &session_key);
if (secret) {
d_printf("secret: %s\n", secret);
}
done:
if (is_valid_policy_hnd(&handle)) {
rpccli_lsa_Close(cli, mem_ctx, &handle);
}
return status;
}
static NTSTATUS cmd_lsa_query_info_policy(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
union lsa_PolicyInformation *info = NULL;
uint32 info_class = 3;
if (argc > 2) {
printf("Usage: %s [info_class]\n", argv[0]);
return NT_STATUS_OK;
}
if (argc == 2)
info_class = atoi(argv[1]);
switch (info_class) {
case 12:
result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_QueryInfoPolicy2(cli, mem_ctx,
&pol,
info_class,
&info);
break;
default:
result = rpccli_lsa_open_policy(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_QueryInfoPolicy(cli, mem_ctx,
&pol,
info_class,
&info);
}
if (NT_STATUS_IS_OK(result)) {
display_lsa_query_info(info, info_class);
}
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
static NTSTATUS cmd_lsa_store_private_data(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
NTSTATUS status;
struct policy_handle handle;
struct lsa_String name;
struct lsa_DATA_BUF val;
DATA_BLOB session_key;
DATA_BLOB enc_key;
if (argc < 3) {
printf("Usage: %s name secret\n", argv[0]);
return NT_STATUS_OK;
}
status = rpccli_lsa_open_policy2(cli, mem_ctx,
true,
SEC_FLAG_MAXIMUM_ALLOWED,
&handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
init_lsa_String(&name, argv[1]);
ZERO_STRUCT(val);
status = cli_get_session_key(mem_ctx, cli, &session_key);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
enc_key = sess_encrypt_string(argv[2], &session_key);
val.length = enc_key.length;
val.size = enc_key.length;
val.data = enc_key.data;
status = rpccli_lsa_StorePrivateData(cli, mem_ctx,
&handle,
&name,
&val);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
done:
if (is_valid_policy_hnd(&handle)) {
rpccli_lsa_Close(cli, mem_ctx, &handle);
}
return status;
}
static NTSTATUS cmd_lsa_enum_privilege(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct lsa_PrivArray priv_array;
uint32 enum_context=0;
uint32 pref_max_length=0x1000;
int i;
if (argc > 3) {
printf("Usage: %s [enum context] [max length]\n", argv[0]);
return NT_STATUS_OK;
}
if (argc>=2)
enum_context=atoi(argv[1]);
if (argc==3)
pref_max_length=atoi(argv[2]);
result = rpccli_lsa_open_policy(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_EnumPrivs(cli, mem_ctx,
&pol,
&enum_context,
&priv_array,
pref_max_length);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Print results */
printf("found %d privileges\n\n", priv_array.count);
for (i = 0; i < priv_array.count; i++) {
printf("%s \t\t%d:%d (0x%x:0x%x)\n",
priv_array.privs[i].name.string ? priv_array.privs[i].name.string : "*unknown*",
priv_array.privs[i].luid.high,
priv_array.privs[i].luid.low,
priv_array.privs[i].luid.high,
priv_array.privs[i].luid.low);
}
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
static NTSTATUS cmd_lsa_enum_sids(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 enum_context=0;
uint32 pref_max_length=0x1000;
struct lsa_SidArray sid_array;
int i;
if (argc > 3) {
printf("Usage: %s [enum context] [max length]\n", argv[0]);
return NT_STATUS_OK;
}
if (argc>=2)
enum_context=atoi(argv[1]);
if (argc==3)
pref_max_length=atoi(argv[2]);
result = rpccli_lsa_open_policy(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_EnumAccounts(cli, mem_ctx,
&pol,
&enum_context,
&sid_array,
pref_max_length);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Print results */
printf("found %d SIDs\n\n", sid_array.num_sids);
for (i = 0; i < sid_array.num_sids; i++) {
fstring sid_str;
sid_to_fstring(sid_str, sid_array.sids[i].sid);
printf("%s\n", sid_str);
}
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
static NTSTATUS cmd_lsa_remove_acct_rights(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle dom_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct lsa_RightSet rights;
DOM_SID sid;
int i;
if (argc < 3 ) {
printf("Usage: %s SID [rights...]\n", argv[0]);
return NT_STATUS_OK;
}
result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&dom_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
rights.count = argc-2;
rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
rights.count);
if (!rights.names) {
return NT_STATUS_NO_MEMORY;
}
for (i=0; i<argc-2; i++) {
init_lsa_StringLarge(&rights.names[i], argv[i+2]);
}
result = rpccli_lsa_RemoveAccountRights(cli, mem_ctx,
&dom_pol,
&sid,
false,
&rights);
if (!NT_STATUS_IS_OK(result))
goto done;
rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
done:
return result;
}
static NTSTATUS cmd_lsa_lookup_names_level(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
DOM_SID *sids;
enum lsa_SidType *types;
int i, level;
if (argc < 3) {
printf("Usage: %s [level] [name1 [name2 [...]]]\n", argv[0]);
return NT_STATUS_OK;
}
result = rpccli_lsa_open_policy(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
level = atoi(argv[1]);
result = rpccli_lsa_lookup_names(cli, mem_ctx, &pol, argc - 2,
(const char**)(argv + 2), NULL, level, &sids, &types);
if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
NT_STATUS_V(STATUS_SOME_UNMAPPED))
goto done;
result = NT_STATUS_OK;
/* Print results */
for (i = 0; i < (argc - 2); i++) {
fstring sid_str;
sid_to_fstring(sid_str, &sids[i]);
printf("%s %s (%s: %d)\n", argv[i + 2], sid_str,
sid_type_lookup(types[i]), types[i]);
}
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
static NTSTATUS cmd_lsa_enum_acct_rights(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle dom_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
DOM_SID sid;
struct lsa_RightSet rights;
int i;
if (argc != 2 ) {
printf("Usage: %s SID\n", argv[0]);
return NT_STATUS_OK;
}
result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&dom_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_EnumAccountRights(cli, mem_ctx,
&dom_pol,
&sid,
&rights);
if (!NT_STATUS_IS_OK(result))
goto done;
printf("found %d privileges for SID %s\n", rights.count,
sid_string_tos(&sid));
for (i = 0; i < rights.count; i++) {
printf("\t%s\n", rights.names[i].string);
}
rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
done:
return result;
}
static NTSTATUS cmd_lsa_get_dispname(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint16 lang_id=0;
uint16 lang_id_sys=0;
uint16 lang_id_desc;
struct lsa_String lsa_name;
struct lsa_StringLarge *description = NULL;
if (argc != 2) {
printf("Usage: %s privilege name\n", argv[0]);
return NT_STATUS_OK;
}
result = rpccli_lsa_open_policy(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
init_lsa_String(&lsa_name, argv[1]);
result = rpccli_lsa_LookupPrivDisplayName(cli, mem_ctx,
&pol,
&lsa_name,
lang_id,
lang_id_sys,
&description,
&lang_id_desc);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Print results */
printf("%s -> %s (language: 0x%x)\n", argv[1], description->string, lang_id_desc);
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
static NTSTATUS cmd_lsa_create_account(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle dom_pol;
struct policy_handle user_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 des_access = 0x000f000f;
DOM_SID sid;
if (argc != 2 ) {
printf("Usage: %s SID\n", argv[0]);
return NT_STATUS_OK;
}
result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&dom_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_CreateAccount(cli, mem_ctx,
&dom_pol,
&sid,
des_access,
&user_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
printf("Account for SID %s successfully created\n\n", argv[1]);
result = NT_STATUS_OK;
rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
done:
return result;
}
static NTSTATUS cmd_lsa_get_username(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
const char *servername = cli->desthost;
struct lsa_String *account_name = NULL;
struct lsa_String *authority_name = NULL;
if (argc > 2) {
printf("Usage: %s servername\n", argv[0]);
return NT_STATUS_OK;
}
result = rpccli_lsa_open_policy(cli, mem_ctx, true,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = rpccli_lsa_GetUserName(cli, mem_ctx,
servername,
&account_name,
&authority_name);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Print results */
printf("Account Name: %s, Authority Name: %s\n",
account_name->string, authority_name ? authority_name->string :
"");
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
static NTSTATUS cmd_testme(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
int argc, const char **argv)
{
struct rpc_pipe_client *lsa_pipe = NULL, *samr_pipe = NULL;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
struct policy_handle pol;
d_printf("testme\n");
status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
&ndr_table_lsarpc.syntax_id,
&lsa_pipe);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
&ndr_table_samr.syntax_id,
&samr_pipe);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, False,
KEY_QUERY_VALUE, &pol);
if (!NT_STATUS_IS_OK(status))
goto done;
status = rpccli_lsa_Close(lsa_pipe, mem_ctx, &pol);
if (!NT_STATUS_IS_OK(status))
goto done;
done:
TALLOC_FREE(lsa_pipe);
TALLOC_FREE(samr_pipe);
return status;
}
static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
SEC_DESC_BUF *sdb;
uint32 sec_info = DACL_SECURITY_INFORMATION;
if (argc < 1 || argc > 2) {
printf("Usage: %s [sec_info]\n", argv[0]);
return NT_STATUS_OK;
}
result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (argc == 2)
sscanf(argv[1], "%x", &sec_info);
if (!NT_STATUS_IS_OK(result))
goto done;
result = rpccli_lsa_QuerySecurity(cli, mem_ctx,
&pol,
sec_info,
&sdb);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Print results */
display_sec_desc(sdb->sd);
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
static NTSTATUS cmd_lsa_lookup_priv_value(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct lsa_LUID luid;
struct lsa_String name;
if (argc != 2 ) {
printf("Usage: %s name\n", argv[0]);
return NT_STATUS_OK;
}
result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
init_lsa_String(&name, argv[1]);
result = rpccli_lsa_LookupPrivValue(cli, mem_ctx,
&pol,
&name,
&luid);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Print results */
printf("%u:%u (0x%x:0x%x)\n", luid.high, luid.low, luid.high, luid.low);
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
{
/* libsmb variables */
struct cli_state *cli;
TALLOC_CTX *mem_ctx;
uint32 acb_info = ACB_WSTRUST;
uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
uint32 sec_channel_type;
struct rpc_pipe_client *pipe_hnd = NULL;
/* rpc variables */
struct policy_handle lsa_pol, sam_pol, domain_pol, user_pol;
DOM_SID *domain_sid;
uint32 user_rid;
/* Password stuff */
char *clear_trust_password = NULL;
struct samr_CryptPassword crypt_pwd;
uchar md4_trust_password[16];
union samr_UserInfo set_info;
/* Misc */
NTSTATUS result;
int retval = 1;
const char *domain = NULL;
char *acct_name;
struct lsa_String lsa_acct_name;
uint32 acct_flags=0;
uint32_t access_granted = 0;
union lsa_PolicyInformation *info = NULL;
struct samr_Ids user_rids;
struct samr_Ids name_types;
/* check what type of join */
if (argc >= 0) {
sec_channel_type = get_sec_channel_type(argv[0]);
} else {
sec_channel_type = get_sec_channel_type(NULL);
}
switch (sec_channel_type) {
case SEC_CHAN_WKSTA:
acb_info = ACB_WSTRUST;
break;
case SEC_CHAN_BDC:
acb_info = ACB_SVRTRUST;
break;
#if 0
case SEC_CHAN_DOMAIN:
acb_info = ACB_DOMTRUST;
break;
#endif
}
/* Make authenticated connection to remote machine */
result = net_make_ipc_connection(c, NET_FLAGS_PDC, &cli);
if (!NT_STATUS_IS_OK(result)) {
return 1;
}
if (!(mem_ctx = talloc_init("net_rpc_join_newstyle"))) {
DEBUG(0, ("Could not initialise talloc context\n"));
goto done;
}
/* Fetch domain sid */
result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
&pipe_hnd);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
nt_errstr(result) ));
goto done;
}
CHECK_RPC_ERR(rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
SEC_FLAG_MAXIMUM_ALLOWED,
&lsa_pol),
"error opening lsa policy handle");
CHECK_RPC_ERR(rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
&lsa_pol,
LSA_POLICY_INFO_ACCOUNT_DOMAIN,
&info),
"error querying info policy");
domain = info->account_domain.name.string;
domain_sid = info->account_domain.sid;
rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
TALLOC_FREE(pipe_hnd); /* Done with this pipe */
/* Bail out if domain didn't get set. */
if (!domain) {
DEBUG(0, ("Could not get domain name.\n"));
goto done;
}
/* Create domain user */
result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
&pipe_hnd);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
nt_errstr(result) ));
goto done;
}
CHECK_RPC_ERR(rpccli_samr_Connect2(pipe_hnd, mem_ctx,
pipe_hnd->desthost,
SAMR_ACCESS_ENUM_DOMAINS
| SAMR_ACCESS_LOOKUP_DOMAIN,
&sam_pol),
"could not connect to SAM database");
CHECK_RPC_ERR(rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
&sam_pol,
SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
| SAMR_DOMAIN_ACCESS_CREATE_USER
| SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
domain_sid,
&domain_pol),
"could not open domain");
/* Create domain user */
if ((acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname())) == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
}
strlower_m(acct_name);
init_lsa_String(&lsa_acct_name, acct_name);
acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
SEC_STD_WRITE_DAC | SEC_STD_DELETE |
SAMR_USER_ACCESS_SET_PASSWORD |
SAMR_USER_ACCESS_GET_ATTRIBUTES |
SAMR_USER_ACCESS_SET_ATTRIBUTES;
DEBUG(10, ("Creating account with flags: %d\n",acct_flags));
result = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
&domain_pol,
&lsa_acct_name,
acb_info,
acct_flags,
&user_pol,
&access_granted,
&user_rid);
if (!NT_STATUS_IS_OK(result) &&
!NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) {
d_fprintf(stderr, "Creation of workstation account failed\n");
/* If NT_STATUS_ACCESS_DENIED then we have a valid
username/password combo but the user does not have
administrator access. */
if (NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED))
d_fprintf(stderr, "User specified does not have administrator privileges\n");
goto done;
}
/* We *must* do this.... don't ask... */
if (NT_STATUS_IS_OK(result)) {
rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
}
CHECK_RPC_ERR_DEBUG(rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
&domain_pol,
1,
&lsa_acct_name,
&user_rids,
&name_types),
("error looking up rid for user %s: %s\n",
acct_name, nt_errstr(result)));
if (name_types.ids[0] != SID_NAME_USER) {
DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types.ids[0]));
goto done;
}
user_rid = user_rids.ids[0];
/* Open handle on user */
CHECK_RPC_ERR_DEBUG(
rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
&domain_pol,
SEC_FLAG_MAXIMUM_ALLOWED,
user_rid,
&user_pol),
("could not re-open existing user %s: %s\n",
acct_name, nt_errstr(result)));
/* Create a random machine account password */
clear_trust_password = generate_random_str(talloc_tos(), DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
E_md4hash(clear_trust_password, md4_trust_password);
/* Set password on machine account */
init_samr_CryptPassword(clear_trust_password,
&cli->user_session_key,
&crypt_pwd);
set_info.info24.password = crypt_pwd;
set_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
CHECK_RPC_ERR(rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
&user_pol,
24,
&set_info),
"error setting trust account password");
/* Why do we have to try to (re-)set the ACB to be the same as what
we passed in the samr_create_dom_user() call? When a NT
workstation is joined to a domain by an administrator the
acb_info is set to 0x80. For a normal user with "Add
workstations to the domain" rights the acb_info is 0x84. I'm
not sure whether it is supposed to make a difference or not. NT
seems to cope with either value so don't bomb out if the set
userinfo2 level 0x10 fails. -tpot */
set_info.info16.acct_flags = acb_info;
/* Ignoring the return value is necessary for joining a domain
as a normal user with "Add workstation to domain" privilege. */
result = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
&user_pol,
16,
&set_info);
rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
TALLOC_FREE(pipe_hnd); /* Done with this pipe */
/* Now check the whole process from top-to-bottom */
result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
&pipe_hnd);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
nt_errstr(result) ));
goto done;
}
result = rpccli_netlogon_setup_creds(pipe_hnd,
cli->desthost, /* server name */
domain, /* domain */
global_myname(), /* client name */
global_myname(), /* machine account name */
md4_trust_password,
sec_channel_type,
&neg_flags);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("Error in domain join verification (credential setup failed): %s\n\n",
nt_errstr(result)));
if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) &&
(sec_channel_type == SEC_CHAN_BDC) ) {
d_fprintf(stderr, "Please make sure that no computer account\n"
"named like this machine (%s) exists in the domain\n",
global_myname());
}
goto done;
}
/* We can only check the schannel connection if the client is allowed
to do this and the server supports it. If not, just assume success
(after all the rpccli_netlogon_setup_creds() succeeded, and we'll
do the same again (setup creds) in net_rpc_join_ok(). JRA. */
if (lp_client_schannel() && (neg_flags & NETLOGON_NEG_SCHANNEL)) {
struct rpc_pipe_client *netlogon_schannel_pipe;
result = cli_rpc_pipe_open_schannel_with_key(
cli, &ndr_table_netlogon.syntax_id,
PIPE_AUTH_LEVEL_PRIVACY, domain, pipe_hnd->dc,
&netlogon_schannel_pipe);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("Error in domain join verification (schannel setup failed): %s\n\n",
nt_errstr(result)));
if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) &&
(sec_channel_type == SEC_CHAN_BDC) ) {
d_fprintf(stderr, "Please make sure that no computer account\n"
"named like this machine (%s) exists in the domain\n",
global_myname());
}
goto done;
}
TALLOC_FREE(netlogon_schannel_pipe);
}
TALLOC_FREE(pipe_hnd);
/* Now store the secret in the secrets database */
strupper_m(CONST_DISCARD(char *, domain));
if (!secrets_store_domain_sid(domain, domain_sid)) {
DEBUG(0, ("error storing domain sid for %s\n", domain));
goto done;
}
if (!secrets_store_machine_password(clear_trust_password, domain, sec_channel_type)) {
DEBUG(0, ("error storing plaintext domain secrets for %s\n", domain));
}
/* double-check, connection from scratch */
result = net_rpc_join_ok(c, domain, cli->desthost, &cli->dest_ss);
retval = NT_STATUS_IS_OK(result) ? 0 : -1;
done:
/* Display success or failure */
if (domain) {
if (retval != 0) {
fprintf(stderr,"Unable to join domain %s.\n",domain);
} else {
printf("Joined domain %s.\n",domain);
}
}
cli_shutdown(cli);
TALLOC_FREE(clear_trust_password);
return retval;
}
static NTSTATUS cmd_lsa_del_priv(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle dom_pol, user_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct lsa_PrivilegeSet privs;
struct lsa_LUIDAttribute *set = NULL;
DOM_SID sid;
int i;
ZERO_STRUCT(privs);
if (argc < 3 ) {
printf("Usage: %s SID [rights...]\n", argv[0]);
return NT_STATUS_OK;
}
result = name_to_sid(cli, mem_ctx, &sid, argv[1]);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&dom_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = rpccli_lsa_OpenAccount(cli, mem_ctx,
&dom_pol,
&sid,
SEC_FLAG_MAXIMUM_ALLOWED,
&user_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
for (i=2; i<argc; i++) {
struct lsa_String priv_name;
struct lsa_LUID luid;
init_lsa_String(&priv_name, argv[i]);
result = rpccli_lsa_LookupPrivValue(cli, mem_ctx,
&dom_pol,
&priv_name,
&luid);
if (!NT_STATUS_IS_OK(result)) {
continue;
}
privs.count++;
set = TALLOC_REALLOC_ARRAY(mem_ctx, set,
struct lsa_LUIDAttribute,
privs.count);
if (!set) {
return NT_STATUS_NO_MEMORY;
}
set[privs.count-1].luid = luid;
set[privs.count-1].attribute = 0;
}
privs.set = set;
result = rpccli_lsa_RemovePrivilegesFromAccount(cli, mem_ctx,
&user_pol,
false,
&privs);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
rpccli_lsa_Close(cli, mem_ctx, &user_pol);
rpccli_lsa_Close(cli, mem_ctx, &dom_pol);
done:
return result;
}
static NTSTATUS rpc_rights_revoke_internal(struct net_context *c,
const DOM_SID *domain_sid,
const char *domain_name,
struct cli_state *cli,
struct rpc_pipe_client *pipe_hnd,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv )
{
struct policy_handle dom_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct lsa_RightSet rights;
DOM_SID sid;
int i;
if (argc < 2 ) {
d_printf(_("Usage: net rpc rights revoke <name|SID> "
"<rights...>\n"));
return NT_STATUS_OK;
}
result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
if (!NT_STATUS_IS_OK(result))
return result;
result = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true,
SEC_FLAG_MAXIMUM_ALLOWED,
&dom_pol);
if (!NT_STATUS_IS_OK(result))
return result;
rights.count = argc-1;
rights.names = TALLOC_ARRAY(mem_ctx, struct lsa_StringLarge,
rights.count);
if (!rights.names) {
return NT_STATUS_NO_MEMORY;
}
for (i=0; i<argc-1; i++) {
init_lsa_StringLarge(&rights.names[i], argv[i+1]);
}
result = rpccli_lsa_RemoveAccountRights(pipe_hnd, mem_ctx,
&dom_pol,
&sid,
false,
&rights);
if (!NT_STATUS_IS_OK(result))
goto done;
d_printf(_("Successfully revoked rights.\n"));
done:
if ( !NT_STATUS_IS_OK(result) ) {
d_fprintf(stderr,_("Failed to revoke privileges for %s (%s)\n"),
argv[0], nt_errstr(result));
}
rpccli_lsa_Close(pipe_hnd, mem_ctx, &dom_pol);
return result;
}
static NTSTATUS cmd_lsa_query_secret(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
NTSTATUS status;
struct policy_handle handle, sec_handle;
struct lsa_String name;
struct lsa_DATA_BUF_PTR new_val;
NTTIME new_mtime = 0;
struct lsa_DATA_BUF_PTR old_val;
NTTIME old_mtime = 0;
DATA_BLOB session_key;
DATA_BLOB new_blob = data_blob_null;
DATA_BLOB old_blob = data_blob_null;
char *new_secret, *old_secret;
if (argc < 2) {
printf("Usage: %s name\n", argv[0]);
return NT_STATUS_OK;
}
status = rpccli_lsa_open_policy2(cli, mem_ctx,
true,
SEC_FLAG_MAXIMUM_ALLOWED,
&handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
init_lsa_String(&name, argv[1]);
status = rpccli_lsa_OpenSecret(cli, mem_ctx,
&handle,
name,
SEC_FLAG_MAXIMUM_ALLOWED,
&sec_handle);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
ZERO_STRUCT(new_val);
ZERO_STRUCT(old_val);
status = rpccli_lsa_QuerySecret(cli, mem_ctx,
&sec_handle,
&new_val,
&new_mtime,
&old_val,
&old_mtime);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
status = cli_get_session_key(mem_ctx, cli, &session_key);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (new_val.buf) {
new_blob = data_blob_const(new_val.buf->data, new_val.buf->length);
}
if (old_val.buf) {
old_blob = data_blob_const(old_val.buf->data, old_val.buf->length);
}
new_secret = sess_decrypt_string(mem_ctx, &new_blob, &session_key);
old_secret = sess_decrypt_string(mem_ctx, &old_blob, &session_key);
if (new_secret) {
d_printf("new secret: %s\n", new_secret);
}
if (old_secret) {
d_printf("old secret: %s\n", old_secret);
}
done:
if (is_valid_policy_hnd(&sec_handle)) {
rpccli_lsa_Close(cli, mem_ctx, &sec_handle);
}
if (is_valid_policy_hnd(&handle)) {
rpccli_lsa_Close(cli, mem_ctx, &handle);
}
return status;
}
static NTSTATUS rpc_rights_list_internal(struct net_context *c,
const DOM_SID *domain_sid,
const char *domain_name,
struct cli_state *cli,
struct rpc_pipe_client *pipe_hnd,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv )
{
struct policy_handle pol;
NTSTATUS result;
DOM_SID sid;
fstring privname;
struct lsa_String lsa_name;
struct lsa_StringLarge *description = NULL;
uint16 lang_id = 0;
uint16 lang_id_sys = 0;
uint16 lang_id_desc;
result = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
SEC_FLAG_MAXIMUM_ALLOWED, &pol);
if ( !NT_STATUS_IS_OK(result) )
return result;
/* backwards compatibility; just list available privileges if no arguement */
if (argc == 0) {
result = enum_privileges(pipe_hnd, mem_ctx, &pol );
goto done;
}
if (strequal(argv[0], "privileges")) {
int i = 1;
if (argv[1] == NULL) {
result = enum_privileges(pipe_hnd, mem_ctx, &pol );
goto done;
}
while ( argv[i] != NULL ) {
fstrcpy(privname, argv[i]);
init_lsa_String(&lsa_name, argv[i]);
i++;
/* verify that this is a valid privilege for error reporting */
result = rpccli_lsa_LookupPrivDisplayName(pipe_hnd, mem_ctx,
&pol,
&lsa_name,
lang_id,
lang_id_sys,
&description,
&lang_id_desc);
if ( !NT_STATUS_IS_OK(result) ) {
if ( NT_STATUS_EQUAL( result, NT_STATUS_NO_SUCH_PRIVILEGE ) )
d_fprintf(stderr, _("No such privilege "
"exists: %s.\n"), privname);
else
d_fprintf(stderr, _("Error resolving "
"privilege display name "
"[%s].\n"),
nt_errstr(result));
continue;
}
result = enum_accounts_for_privilege(pipe_hnd, mem_ctx, &pol, privname);
if (!NT_STATUS_IS_OK(result)) {
d_fprintf(stderr, _("Error enumerating "
"accounts for privilege %s [%s].\n"),
privname, nt_errstr(result));
continue;
}
}
goto done;
}
/* special case to enumerate all privileged SIDs with associated rights */
if (strequal( argv[0], "accounts")) {
int i = 1;
if (argv[1] == NULL) {
result = enum_privileges_for_accounts(pipe_hnd, mem_ctx, &pol);
goto done;
}
while (argv[i] != NULL) {
result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[i]);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
i++;
}
goto done;
}
/* backward comaptibility: if no keyword provided, treat the key
as an account name */
if (argc > 1) {
d_printf(_("Usage: net rpc rights list [[accounts|privileges] "
"[name|SID]]\n"));
result = NT_STATUS_OK;
goto done;
}
result = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid );
done:
rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
return result;
}
static NTSTATUS cmd_lsa_delete_trusted_domain(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
NTSTATUS status;
struct policy_handle handle, trustdom_handle;
struct lsa_String name;
struct dom_sid *sid = NULL;
if (argc < 2) {
printf("Usage: %s name\n", argv[0]);
return NT_STATUS_OK;
}
status = rpccli_lsa_open_policy2(cli, mem_ctx,
true,
SEC_FLAG_MAXIMUM_ALLOWED,
&handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
init_lsa_String(&name, argv[1]);
status = rpccli_lsa_OpenTrustedDomainByName(cli, mem_ctx,
&handle,
name,
SEC_FLAG_MAXIMUM_ALLOWED,
&trustdom_handle);
if (NT_STATUS_IS_OK(status)) {
goto delete_object;
}
{
uint32_t resume_handle = 0;
struct lsa_DomainList domains;
int i;
status = rpccli_lsa_EnumTrustDom(cli, mem_ctx,
&handle,
&resume_handle,
&domains,
0xffff);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
for (i=0; i < domains.count; i++) {
if (strequal(domains.domains[i].name.string, argv[1])) {
sid = domains.domains[i].sid;
break;
}
}
if (!sid) {
return NT_STATUS_INVALID_SID;
}
}
status = rpccli_lsa_OpenTrustedDomain(cli, mem_ctx,
&handle,
sid,
SEC_FLAG_MAXIMUM_ALLOWED,
&trustdom_handle);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
delete_object:
status = rpccli_lsa_DeleteObject(cli, mem_ctx,
&trustdom_handle);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
done:
if (is_valid_policy_hnd(&trustdom_handle)) {
rpccli_lsa_Close(cli, mem_ctx, &trustdom_handle);
}
if (is_valid_policy_hnd(&handle)) {
rpccli_lsa_Close(cli, mem_ctx, &handle);
}
return status;
}
static NTSTATUS cmd_lsa_lookup_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
int argc, const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
DOM_SID *sids;
char **domains;
char **names;
enum lsa_SidType *types;
int i;
if (argc == 1) {
printf("Usage: %s [sid1 [sid2 [...]]]\n", argv[0]);
return NT_STATUS_OK;
}
result = rpccli_lsa_open_policy(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Convert arguments to sids */
sids = TALLOC_ARRAY(mem_ctx, DOM_SID, argc - 1);
if (!sids) {
printf("could not allocate memory for %d sids\n", argc - 1);
goto done;
}
for (i = 0; i < argc - 1; i++)
if (!string_to_sid(&sids[i], argv[i + 1])) {
result = NT_STATUS_INVALID_SID;
goto done;
}
/* Lookup the SIDs */
result = rpccli_lsa_lookup_sids(cli, mem_ctx, &pol, argc - 1, sids,
&domains, &names, &types);
if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
NT_STATUS_V(STATUS_SOME_UNMAPPED))
goto done;
result = NT_STATUS_OK;
/* Print results */
for (i = 0; i < (argc - 1); i++) {
fstring sid_str;
sid_to_fstring(sid_str, &sids[i]);
printf("%s %s\\%s (%d)\n", sid_str,
domains[i] ? domains[i] : "*unknown*",
names[i] ? names[i] : "*unknown*", types[i]);
}
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
static NTSTATUS cmd_lsa_enum_trust_dom(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct lsa_DomainList domain_list;
/* defaults, but may be changed using params */
uint32 enum_ctx = 0;
int i;
uint32_t max_size = (uint32_t)-1;
if (argc > 2) {
printf("Usage: %s [enum context (0)]\n", argv[0]);
return NT_STATUS_OK;
}
if (argc == 2 && argv[1]) {
enum_ctx = atoi(argv[2]);
}
result = rpccli_lsa_open_policy(cli, mem_ctx, True,
LSA_POLICY_VIEW_LOCAL_INFORMATION,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = STATUS_MORE_ENTRIES;
while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
/* Lookup list of trusted domains */
result = rpccli_lsa_EnumTrustDom(cli, mem_ctx,
&pol,
&enum_ctx,
&domain_list,
max_size);
if (!NT_STATUS_IS_OK(result) &&
!NT_STATUS_EQUAL(result, NT_STATUS_NO_MORE_ENTRIES) &&
!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
goto done;
/* Print results: list of names and sids returned in this
* response. */
for (i = 0; i < domain_list.count; i++) {
fstring sid_str;
sid_to_fstring(sid_str, domain_list.domains[i].sid);
printf("%s %s\n",
domain_list.domains[i].name.string ?
domain_list.domains[i].name.string : "*unknown*",
sid_str);
}
}
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
