static NTSTATUS name_to_sid(struct rpc_pipe_client *pipe_hnd,
			    TALLOC_CTX *mem_ctx,
			    struct dom_sid *sid, const char *name)
{
	struct policy_handle pol;
	enum lsa_SidType *sid_types;
	NTSTATUS status, result;
	struct dom_sid *sids;
	struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;

	/* maybe its a raw SID */
	if ( strncmp(name, "S-", 2) == 0 && string_to_sid(sid, name) ) {
		return NT_STATUS_OK;
	}

	status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
		SEC_FLAG_MAXIMUM_ALLOWED, &pol);

	if ( !NT_STATUS_IS_OK(status) )
		return status;

	status = rpccli_lsa_lookup_names(pipe_hnd, mem_ctx, &pol, 1, &name,
					 NULL, 1, &sids, &sid_types);

	if ( NT_STATUS_IS_OK(status) )
		sid_copy( sid, &sids[0] );

	dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
	return status;
}
static NTSTATUS sid_to_name(struct rpc_pipe_client *pipe_hnd,
				TALLOC_CTX *mem_ctx,
				struct dom_sid *sid,
				fstring name)
{
	struct policy_handle pol;
	enum lsa_SidType *sid_types = NULL;
	NTSTATUS status, result;
	char **domains = NULL, **names = NULL;
	struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;

	status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
		SEC_FLAG_MAXIMUM_ALLOWED, &pol);

	if ( !NT_STATUS_IS_OK(status) )
		return status;

	status = rpccli_lsa_lookup_sids(pipe_hnd, mem_ctx, &pol, 1, sid, &domains, &names, &sid_types);

	if ( NT_STATUS_IS_OK(status) ) {
		if ( *domains[0] )
			fstr_sprintf( name, "%s\\%s", domains[0], names[0] );
		else
			fstrcpy( name, names[0] );
	}

	dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
	return status;
}
Exemple #3
0
/* convert a single name to a sid in a domain */
static NTSTATUS sam_name_to_sid(struct winbindd_domain *domain,
				   TALLOC_CTX *mem_ctx,
				   const char *domain_name,
				   const char *name,
				   uint32_t flags,
				   struct dom_sid *psid,
				   enum lsa_SidType *ptype)
{
	struct rpc_pipe_client *lsa_pipe;
	struct policy_handle lsa_policy;
	struct dom_sid sid;
	enum lsa_SidType type;
	TALLOC_CTX *tmp_ctx;
	NTSTATUS status, result;
	struct dcerpc_binding_handle *b = NULL;

	DEBUG(3,("sam_name_to_sid\n"));

	ZERO_STRUCT(lsa_policy);

	tmp_ctx = talloc_stackframe();
	if (tmp_ctx == NULL) {
		return NT_STATUS_NO_MEMORY;
	}

	status = open_internal_lsa_conn(tmp_ctx, &lsa_pipe, &lsa_policy);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	b = lsa_pipe->binding_handle;

	status = rpc_name_to_sid(tmp_ctx,
				 lsa_pipe,
				 &lsa_policy,
				 domain_name,
				 name,
				 flags,
				 &sid,
				 &type);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	if (psid) {
		sid_copy(psid, &sid);
	}
	if (ptype) {
		*ptype = type;
	}

done:
	if (b && is_valid_policy_hnd(&lsa_policy)) {
		dcerpc_lsa_Close(b, mem_ctx, &lsa_policy, &result);
	}

	TALLOC_FREE(tmp_ctx);
	return status;
}
Exemple #4
0
/* get a list of trusted domains - builtin domain */
static NTSTATUS sam_trusted_domains(struct winbindd_domain *domain,
				    TALLOC_CTX *mem_ctx,
				    struct netr_DomainTrustList *ptrust_list)
{
	struct rpc_pipe_client *lsa_pipe;
	struct policy_handle lsa_policy;
	struct netr_DomainTrust *trusts = NULL;
	uint32_t num_trusts = 0;
	TALLOC_CTX *tmp_ctx;
	NTSTATUS status, result;
	struct dcerpc_binding_handle *b = NULL;

	DEBUG(3,("samr: trusted domains\n"));

	ZERO_STRUCT(lsa_policy);

	if (ptrust_list) {
		ZERO_STRUCTP(ptrust_list);
	}

	tmp_ctx = talloc_stackframe();
	if (tmp_ctx == NULL) {
		return NT_STATUS_NO_MEMORY;
	}

	status = open_internal_lsa_conn(tmp_ctx, &lsa_pipe, &lsa_policy);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	b = lsa_pipe->binding_handle;

	status = rpc_trusted_domains(tmp_ctx,
				     lsa_pipe,
				     &lsa_policy,
				     &num_trusts,
				     &trusts);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	if (ptrust_list) {
		ptrust_list->count = num_trusts;
		ptrust_list->array = talloc_move(mem_ctx, &trusts);
	}

done:
	if (b && is_valid_policy_hnd(&lsa_policy)) {
		dcerpc_lsa_Close(b, mem_ctx, &lsa_policy, &result);
	}

	TALLOC_FREE(tmp_ctx);
	return status;
}
BOOL torture_domain_open_lsa(struct torture_context *torture)
{
	NTSTATUS status;
	BOOL ret = True;
	struct libnet_context *ctx;
	struct libnet_DomainOpen r;
	struct lsa_Close close;
	struct dcerpc_binding *binding;
	struct policy_handle h;
	const char *bindstr;
	
	bindstr = torture_setting_string(torture, "binding", NULL);
	status = dcerpc_parse_binding(torture, bindstr, &binding);
	if (!NT_STATUS_IS_OK(status)) {
		d_printf("failed to parse binding string\n");
		return False;
	}

	ctx = libnet_context_init(NULL);
	if (ctx == NULL) {
		d_printf("failed to create libnet context\n");
		return False;
	}

	ctx->cred = cmdline_credentials;

	ZERO_STRUCT(r);
	r.in.type = DOMAIN_LSA;
	r.in.domain_name = binding->host;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;

	status = libnet_DomainOpen(ctx, torture, &r);
	if (!NT_STATUS_IS_OK(status)) {
		d_printf("failed to open domain on lsa service: %s\n", nt_errstr(status));
		ret = False;
		goto done;
	}

	ZERO_STRUCT(close);
	close.in.handle  = &ctx->lsa.handle;
	close.out.handle = &h;
	
	status = dcerpc_lsa_Close(ctx->lsa.pipe, ctx, &close);
	if (!NT_STATUS_IS_OK(status)) {
		d_printf("failed to close domain on lsa service: %s\n", nt_errstr(status));
		ret = False;
	}

done:
	talloc_free(ctx);
	return ret;
}
BOOL torture_domain_open_lsa(struct torture_context *torture)
{
	NTSTATUS status;
	BOOL ret = True;
	struct libnet_context *ctx;
	struct libnet_DomainOpen r;
	struct lsa_Close lsa_close;
	struct policy_handle h;
	const char *domain_name;

	/* we're accessing domain controller so the domain name should be
	   passed (it's going to be resolved to dc name and address) instead
	   of specific server name. */
	domain_name = lp_workgroup();

	ctx = libnet_context_init(NULL);
	if (ctx == NULL) {
		d_printf("failed to create libnet context\n");
		return False;
	}

	ctx->cred = cmdline_credentials;

	ZERO_STRUCT(r);
	r.in.type = DOMAIN_LSA;
	r.in.domain_name = domain_name;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;

	status = libnet_DomainOpen(ctx, torture, &r);
	if (!NT_STATUS_IS_OK(status)) {
		d_printf("failed to open domain on lsa service: %s\n", nt_errstr(status));
		ret = False;
		goto done;
	}

	ZERO_STRUCT(lsa_close);
	lsa_close.in.handle  = &ctx->lsa.handle;
	lsa_close.out.handle = &h;
	
	status = dcerpc_lsa_Close(ctx->lsa.pipe, ctx, &lsa_close);
	if (!NT_STATUS_IS_OK(status)) {
		d_printf("failed to close domain on lsa service: %s\n", nt_errstr(status));
		ret = False;
	}

done:
	talloc_free(ctx);
	return ret;
}
static NTSTATUS close_handle(TALLOC_CTX *mem_ctx,
			     struct dcerpc_binding_handle *bind_hnd,
			     struct policy_handle *pol_hnd)
{
	NTSTATUS status;
	NTSTATUS result;

	status = dcerpc_lsa_Close(bind_hnd, mem_ctx, pol_hnd, &result);
	if (!NT_STATUS_IS_OK(status)) {
		DEBUG(0, ("dcerpc_lsa_Close failed with error [%s].\n",
			  nt_errstr(status)));
		return status;
	}
	if (!NT_STATUS_IS_OK(result)) {
		DEBUG(0, ("lsa close failed with error [%s].\n",
			  nt_errstr(result)));
		return result;
	}

	return NT_STATUS_OK;
}
int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
{

	/* libsmb variables */

	struct cli_state *cli;
	TALLOC_CTX *mem_ctx;
        uint32 acb_info = ACB_WSTRUST;
	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
	enum netr_SchannelType sec_channel_type;
	struct rpc_pipe_client *pipe_hnd = NULL;
	struct dcerpc_binding_handle *b = NULL;

	/* rpc variables */

	struct policy_handle lsa_pol, sam_pol, domain_pol, user_pol;
	struct dom_sid *domain_sid;
	uint32 user_rid;

	/* Password stuff */

	char *clear_trust_password = NULL;
	struct samr_CryptPassword crypt_pwd;
	uchar md4_trust_password[16];
	union samr_UserInfo set_info;

	/* Misc */

	NTSTATUS status, result;
	int retval = 1;
	const char *domain = NULL;
	char *acct_name;
	struct lsa_String lsa_acct_name;
	uint32 acct_flags=0;
	uint32_t access_granted = 0;
	union lsa_PolicyInformation *info = NULL;
	struct samr_Ids user_rids;
	struct samr_Ids name_types;


	/* check what type of join */
	if (argc >= 0) {
		sec_channel_type = get_sec_channel_type(argv[0]);
	} else {
		sec_channel_type = get_sec_channel_type(NULL);
	}

	switch (sec_channel_type) {
	case SEC_CHAN_WKSTA:
		acb_info = ACB_WSTRUST;
		break;
	case SEC_CHAN_BDC:
		acb_info = ACB_SVRTRUST;
		break;
#if 0
	case SEC_CHAN_DOMAIN:
		acb_info = ACB_DOMTRUST;
		break;
#endif
	default:
		DEBUG(0,("secure channel type %d not yet supported\n",
			sec_channel_type));
		break;
	}

	/* Make authenticated connection to remote machine */

	status = net_make_ipc_connection(c, NET_FLAGS_PDC, &cli);
	if (!NT_STATUS_IS_OK(status)) {
		return 1;
	}

	if (!(mem_ctx = talloc_init("net_rpc_join_newstyle"))) {
		DEBUG(0, ("Could not initialise talloc context\n"));
		goto done;
	}

	/* Fetch domain sid */

	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
					  &pipe_hnd);
	if (!NT_STATUS_IS_OK(status)) {
		DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
			nt_errstr(status) ));
		goto done;
	}

	b = pipe_hnd->binding_handle;

	CHECK_RPC_ERR(rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
					  SEC_FLAG_MAXIMUM_ALLOWED,
					  &lsa_pol),
		      "error opening lsa policy handle");

	CHECK_DCERPC_ERR(dcerpc_lsa_QueryInfoPolicy(b, mem_ctx,
						    &lsa_pol,
						    LSA_POLICY_INFO_ACCOUNT_DOMAIN,
						    &info,
						    &result),
		      "error querying info policy");

	domain = info->account_domain.name.string;
	domain_sid = info->account_domain.sid;

	dcerpc_lsa_Close(b, mem_ctx, &lsa_pol, &result);
	TALLOC_FREE(pipe_hnd); /* Done with this pipe */

	/* Bail out if domain didn't get set. */
	if (!domain) {
		DEBUG(0, ("Could not get domain name.\n"));
		goto done;
	}

	/* Create domain user */
	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
					  &pipe_hnd);
	if (!NT_STATUS_IS_OK(status)) {
		DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
			nt_errstr(status) ));
		goto done;
	}

	b = pipe_hnd->binding_handle;

	CHECK_DCERPC_ERR(dcerpc_samr_Connect2(b, mem_ctx,
					      pipe_hnd->desthost,
					      SAMR_ACCESS_ENUM_DOMAINS
					      | SAMR_ACCESS_LOOKUP_DOMAIN,
					      &sam_pol,
					      &result),
		      "could not connect to SAM database");


	CHECK_DCERPC_ERR(dcerpc_samr_OpenDomain(b, mem_ctx,
						&sam_pol,
						SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
						| SAMR_DOMAIN_ACCESS_CREATE_USER
						| SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
						domain_sid,
						&domain_pol,
						&result),
		      "could not open domain");

	/* Create domain user */
	if ((acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname())) == NULL) {
		status = NT_STATUS_NO_MEMORY;
		goto done;
	}
	strlower_m(acct_name);

	init_lsa_String(&lsa_acct_name, acct_name);

	acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
		     SEC_STD_WRITE_DAC | SEC_STD_DELETE |
		     SAMR_USER_ACCESS_SET_PASSWORD |
		     SAMR_USER_ACCESS_GET_ATTRIBUTES |
		     SAMR_USER_ACCESS_SET_ATTRIBUTES;

	DEBUG(10, ("Creating account with flags: %d\n",acct_flags));

	status = dcerpc_samr_CreateUser2(b, mem_ctx,
					 &domain_pol,
					 &lsa_acct_name,
					 acb_info,
					 acct_flags,
					 &user_pol,
					 &access_granted,
					 &user_rid,
					 &result);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}
	if (!NT_STATUS_IS_OK(result) &&
	    !NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) {
		status = result;
		d_fprintf(stderr,_("Creation of workstation account failed\n"));

		/* If NT_STATUS_ACCESS_DENIED then we have a valid
		   username/password combo but the user does not have
		   administrator access. */

		if (NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED))
			d_fprintf(stderr, _("User specified does not have "
					    "administrator privileges\n"));

		goto done;
	}

	/* We *must* do this.... don't ask... */

	if (NT_STATUS_IS_OK(result)) {
		dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
	}

	CHECK_DCERPC_ERR_DEBUG(dcerpc_samr_LookupNames(b, mem_ctx,
						       &domain_pol,
						       1,
						       &lsa_acct_name,
						       &user_rids,
						       &name_types,
						       &result),
			    ("error looking up rid for user %s: %s/%s\n",
			     acct_name, nt_errstr(status), nt_errstr(result)));

	if (user_rids.count != 1) {
		status = NT_STATUS_INVALID_NETWORK_RESPONSE;
		goto done;
	}
	if (name_types.count != 1) {
		status = NT_STATUS_INVALID_NETWORK_RESPONSE;
		goto done;
	}

	if (name_types.ids[0] != SID_NAME_USER) {
		DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types.ids[0]));
		goto done;
	}

	user_rid = user_rids.ids[0];

	/* Open handle on user */

	CHECK_DCERPC_ERR_DEBUG(
		dcerpc_samr_OpenUser(b, mem_ctx,
				     &domain_pol,
				     SEC_FLAG_MAXIMUM_ALLOWED,
				     user_rid,
				     &user_pol,
				     &result),
		("could not re-open existing user %s: %s/%s\n",
		 acct_name, nt_errstr(status), nt_errstr(result)));
	
	/* Create a random machine account password */

	clear_trust_password = generate_random_str(talloc_tos(), DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
	E_md4hash(clear_trust_password, md4_trust_password);

	/* Set password on machine account */

	init_samr_CryptPassword(clear_trust_password,
				&cli->user_session_key,
				&crypt_pwd);

	set_info.info24.password = crypt_pwd;
	set_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;

	CHECK_DCERPC_ERR(dcerpc_samr_SetUserInfo2(b, mem_ctx,
						  &user_pol,
						  24,
						  &set_info,
						  &result),
		      "error setting trust account password");

	/* Why do we have to try to (re-)set the ACB to be the same as what
	   we passed in the samr_create_dom_user() call?  When a NT
	   workstation is joined to a domain by an administrator the
	   acb_info is set to 0x80.  For a normal user with "Add
	   workstations to the domain" rights the acb_info is 0x84.  I'm
	   not sure whether it is supposed to make a difference or not.  NT
	   seems to cope with either value so don't bomb out if the set
	   userinfo2 level 0x10 fails.  -tpot */

	set_info.info16.acct_flags = acb_info;

	/* Ignoring the return value is necessary for joining a domain
	   as a normal user with "Add workstation to domain" privilege. */

	status = dcerpc_samr_SetUserInfo(b, mem_ctx,
					 &user_pol,
					 16,
					 &set_info,
					 &result);

	dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
	TALLOC_FREE(pipe_hnd); /* Done with this pipe */

	/* Now check the whole process from top-to-bottom */

	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
					  &pipe_hnd);
	if (!NT_STATUS_IS_OK(status)) {
		DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
			nt_errstr(status) ));
		goto done;
	}

	status = rpccli_netlogon_setup_creds(pipe_hnd,
					cli->desthost, /* server name */
					domain,        /* domain */
					global_myname(), /* client name */
					global_myname(), /* machine account name */
                                        md4_trust_password,
                                        sec_channel_type,
                                        &neg_flags);

	if (!NT_STATUS_IS_OK(status)) {
		DEBUG(0, ("Error in domain join verification (credential setup failed): %s\n\n",
			  nt_errstr(status)));

		if ( NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
		     (sec_channel_type == SEC_CHAN_BDC) ) {
			d_fprintf(stderr, _("Please make sure that no computer "
					    "account\nnamed like this machine "
					    "(%s) exists in the domain\n"),
				 global_myname());
		}

		goto done;
	}

	/* We can only check the schannel connection if the client is allowed
	   to do this and the server supports it. If not, just assume success
	   (after all the rpccli_netlogon_setup_creds() succeeded, and we'll
	   do the same again (setup creds) in net_rpc_join_ok(). JRA. */

	if (lp_client_schannel() && (neg_flags & NETLOGON_NEG_SCHANNEL)) {
		struct rpc_pipe_client *netlogon_schannel_pipe;

		status = cli_rpc_pipe_open_schannel_with_key(
			cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
			DCERPC_AUTH_LEVEL_PRIVACY, domain, &pipe_hnd->dc,
			&netlogon_schannel_pipe);

		if (!NT_STATUS_IS_OK(status)) {
			DEBUG(0, ("Error in domain join verification (schannel setup failed): %s\n\n",
				  nt_errstr(status)));

			if ( NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
			     (sec_channel_type == SEC_CHAN_BDC) ) {
				d_fprintf(stderr, _("Please make sure that no "
						    "computer account\nnamed "
						    "like this machine (%s) "
						    "exists in the domain\n"),
					 global_myname());
			}

			goto done;
		}
		TALLOC_FREE(netlogon_schannel_pipe);
	}

	TALLOC_FREE(pipe_hnd);

	/* Now store the secret in the secrets database */

	strupper_m(CONST_DISCARD(char *, domain));

	if (!secrets_store_domain_sid(domain, domain_sid)) {
		DEBUG(0, ("error storing domain sid for %s\n", domain));
		goto done;
	}

	if (!secrets_store_machine_password(clear_trust_password, domain, sec_channel_type)) {
		DEBUG(0, ("error storing plaintext domain secrets for %s\n", domain));
	}

	/* double-check, connection from scratch */
	status = net_rpc_join_ok(c, domain, cli->desthost, &cli->dest_ss);
	retval = NT_STATUS_IS_OK(status) ? 0 : -1;

done:

	/* Display success or failure */

	if (domain) {
		if (retval != 0) {
			fprintf(stderr,_("Unable to join domain %s.\n"),domain);
		} else {
			printf(_("Joined domain %s.\n"),domain);
		}
	}

	cli_shutdown(cli);

	TALLOC_FREE(clear_trust_password);

	return retval;
}
Exemple #9
0
static NTSTATUS net_scan_dc_noad(struct net_context *c,
				 struct cli_state *cli,
				 struct net_dc_info *dc_info)
{
	TALLOC_CTX *mem_ctx = talloc_tos();
	struct rpc_pipe_client *pipe_hnd = NULL;
	struct dcerpc_binding_handle *b;
	NTSTATUS status, result;
	struct policy_handle pol;
	union lsa_PolicyInformation *info;

	ZERO_STRUCTP(dc_info);
	ZERO_STRUCT(pol);

	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
					  &pipe_hnd);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	b = pipe_hnd->binding_handle;

	status = dcerpc_lsa_open_policy(b, mem_ctx,
					false,
					SEC_FLAG_MAXIMUM_ALLOWED,
					&pol,
					&result);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}
	if (!NT_STATUS_IS_OK(result)) {
		status = result;
		goto done;
	}

	status = dcerpc_lsa_QueryInfoPolicy(b, mem_ctx,
					    &pol,
					    LSA_POLICY_INFO_ACCOUNT_DOMAIN,
					    &info,
					    &result);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}
	if (!NT_STATUS_IS_OK(result)) {
		status = result;
		goto done;
	}

	dc_info->netbios_domain_name = talloc_strdup(mem_ctx, info->account_domain.name.string);
	if (dc_info->netbios_domain_name == NULL) {
		status = NT_STATUS_NO_MEMORY;
		goto done;
	}

 done:
	if (is_valid_policy_hnd(&pol)) {
		dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
	}

	TALLOC_FREE(pipe_hnd);

	return status;
}
Exemple #10
0
NTSTATUS net_rpc_lookup_name(struct net_context *c,
			     TALLOC_CTX *mem_ctx, struct cli_state *cli,
			     const char *name, const char **ret_domain,
			     const char **ret_name, struct dom_sid *ret_sid,
			     enum lsa_SidType *ret_type)
{
	struct rpc_pipe_client *lsa_pipe = NULL;
	struct policy_handle pol;
	NTSTATUS status, result;
	const char **dom_names;
	struct dom_sid *sids;
	enum lsa_SidType *types;
	struct dcerpc_binding_handle *b;

	ZERO_STRUCT(pol);

	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
					  &lsa_pipe);
	if (!NT_STATUS_IS_OK(status)) {
		d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
		return status;
	}

	b = lsa_pipe->binding_handle;

	status = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, false,
					SEC_FLAG_MAXIMUM_ALLOWED,
					&pol);
	if (!NT_STATUS_IS_OK(status)) {
		d_fprintf(stderr, "open_policy %s: %s\n", _("failed"),
			  nt_errstr(status));
		return status;
	}

	status = rpccli_lsa_lookup_names(lsa_pipe, mem_ctx, &pol, 1,
					 &name, &dom_names, 1, &sids, &types);

	if (!NT_STATUS_IS_OK(status)) {
		/* This can happen easily, don't log an error */
		goto done;
	}

	if (ret_domain != NULL) {
		*ret_domain = dom_names[0];
	}
	if (ret_name != NULL) {
		*ret_name = talloc_strdup(mem_ctx, name);
	}
	if (ret_sid != NULL) {
		sid_copy(ret_sid, &sids[0]);
	}
	if (ret_type != NULL) {
		*ret_type = types[0];
	}

 done:
	if (is_valid_policy_hnd(&pol)) {
		dcerpc_lsa_Close(b, mem_ctx, &pol, &result);
	}
	TALLOC_FREE(lsa_pipe);

	return status;
}
Exemple #11
0
static NTSTATUS sam_rids_to_names(struct winbindd_domain *domain,
				  TALLOC_CTX *mem_ctx,
				  const struct dom_sid *domain_sid,
				  uint32 *rids,
				  size_t num_rids,
				  char **pdomain_name,
				  char ***pnames,
				  enum lsa_SidType **ptypes)
{
	struct rpc_pipe_client *lsa_pipe;
	struct policy_handle lsa_policy;
	enum lsa_SidType *types = NULL;
	char *domain_name = NULL;
	char **names = NULL;
	TALLOC_CTX *tmp_ctx;
	NTSTATUS status, result;
	struct dcerpc_binding_handle *b = NULL;

	DEBUG(3,("sam_rids_to_names for %s\n", domain->name));

	ZERO_STRUCT(lsa_policy);

	/* Paranoia check */
	if (!sid_check_is_builtin(domain_sid) &&
	    !sid_check_is_domain(domain_sid) &&
	    !sid_check_is_unix_users(domain_sid) &&
	    !sid_check_is_unix_groups(domain_sid) &&
	    !sid_check_is_in_wellknown_domain(domain_sid)) {
		DEBUG(0, ("sam_rids_to_names: possible deadlock - trying to "
			  "lookup SID %s\n", sid_string_dbg(domain_sid)));
		return NT_STATUS_NONE_MAPPED;
	}

	tmp_ctx = talloc_stackframe();
	if (tmp_ctx == NULL) {
		return NT_STATUS_NO_MEMORY;
	}

	status = open_internal_lsa_conn(tmp_ctx, &lsa_pipe, &lsa_policy);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	b = lsa_pipe->binding_handle;

	status = rpc_rids_to_names(tmp_ctx,
				   lsa_pipe,
				   &lsa_policy,
				   domain,
				   domain_sid,
				   rids,
				   num_rids,
				   &domain_name,
				   &names,
				   &types);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	if (pdomain_name) {
		*pdomain_name = talloc_move(mem_ctx, &domain_name);
	}

	if (ptypes) {
		*ptypes = talloc_move(mem_ctx, &types);
	}

	if (pnames) {
		*pnames = talloc_move(mem_ctx, &names);
	}

done:
	if (b && is_valid_policy_hnd(&lsa_policy)) {
		dcerpc_lsa_Close(b, mem_ctx, &lsa_policy, &result);
	}

	TALLOC_FREE(tmp_ctx);
	return status;
}
Exemple #12
0
static bool test_handles_mixed_shared(struct torture_context *torture)
{
	NTSTATUS status;
	struct dcerpc_pipe *p1, *p2, *p3, *p4, *p5, *p6;
	struct policy_handle handle;
	struct policy_handle handle2;
	struct samr_Connect r;
	struct lsa_Close lc;
	struct samr_Close sc;
	TALLOC_CTX *mem_ctx = talloc_new(torture);
	enum dcerpc_transport_t transport;
	uint32_t assoc_group_id;

	torture_comment(torture, "RPC-HANDLE-MIXED-SHARED\n");

	if (lp_parm_bool(-1, "torture", "samba4", False)) {
		torture_comment(torture, "Mixed shared-policy-handle test against Samba4 - skipping\n");
		return true;
	}

	torture_comment(torture, "connect samr pipe1\n");
	status = torture_rpc_connection(mem_ctx, &p1, &dcerpc_table_samr);
	torture_assert_ntstatus_ok(torture, status, "opening samr pipe1");

	transport	= p1->conn->transport.transport,
	assoc_group_id	= p1->assoc_group_id;

	torture_comment(torture, "use assoc_group_id[0x%08X] for new connections\n", assoc_group_id);

	torture_comment(torture, "connect lsa pipe2\n");
	status = torture_rpc_connection_transport(mem_ctx, &p2, &dcerpc_table_lsarpc,
						  transport,
						  assoc_group_id);
	torture_assert_ntstatus_ok(torture, status, "opening lsa pipe2");

	r.in.system_name = 0;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	r.out.connect_handle = &handle;

	torture_comment(torture, "samr_Connect to open a policy handle on samr p1\n");
	status = dcerpc_samr_Connect(p1, mem_ctx, &r);
	torture_assert_ntstatus_ok(torture, status, "opening policy handle on p1");

	lc.in.handle 		= &handle;
	lc.out.handle		= &handle2;
	sc.in.handle		= &handle;
	sc.out.handle		= &handle2;

	torture_comment(torture, "use policy handle on lsa p2 - should fail\n");
	status = dcerpc_lsa_Close(p2, mem_ctx, &lc);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_NET_WRITE_FAULT, 
				      "closing handle on lsa p2");
	torture_assert_int_equal(torture, p2->last_fault_code, DCERPC_FAULT_CONTEXT_MISMATCH, 
				      "closing handle on lsa p2");

	torture_comment(torture, "closing policy handle on samr p1\n");
	status = dcerpc_samr_Close(p1, mem_ctx, &sc);
	torture_assert_ntstatus_ok(torture, status, "closing policy handle on p1");

	talloc_free(p1);
	talloc_free(p2);
	msleep(10);

	torture_comment(torture, "connect samr pipe3 - should fail\n");
	status = torture_rpc_connection_transport(mem_ctx, &p3, &dcerpc_table_samr,
						  transport,
						  assoc_group_id);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_UNSUCCESSFUL,
				      "opening samr pipe3");

	torture_comment(torture, "connect lsa pipe4 - should fail\n");
	status = torture_rpc_connection_transport(mem_ctx, &p4, &dcerpc_table_lsarpc,
						  transport,
						  assoc_group_id);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_UNSUCCESSFUL,
				      "opening lsa pipe4");

	torture_comment(torture, "connect samr pipe5 with assoc_group_id[0x%08X]- should fail\n", ++assoc_group_id);
	status = torture_rpc_connection_transport(mem_ctx, &p5, &dcerpc_table_samr,
						  transport,
						  assoc_group_id);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_UNSUCCESSFUL,
				      "opening samr pipe5");

	torture_comment(torture, "connect lsa pipe6 with assoc_group_id[0x%08X]- should fail\n", ++assoc_group_id);
	status = torture_rpc_connection_transport(mem_ctx, &p6, &dcerpc_table_lsarpc,
						  transport,
						  assoc_group_id);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_UNSUCCESSFUL,
				      "opening lsa pipe6");

	talloc_free(mem_ctx);

	return true;
}
Exemple #13
0
static bool test_handles_lsa(struct torture_context *torture)
{
	NTSTATUS status;
	struct dcerpc_pipe *p1, *p2;
	struct policy_handle handle;
	struct policy_handle handle2;
	struct lsa_ObjectAttribute attr;
	struct lsa_QosInfo qos;
	struct lsa_OpenPolicy r;
	struct lsa_Close c;
	uint16_t system_name = '\\';
	TALLOC_CTX *mem_ctx = talloc_new(torture);

	torture_comment(torture, "RPC-HANDLE-LSARPC\n");

	status = torture_rpc_connection(mem_ctx, &p1, &dcerpc_table_lsarpc);
	torture_assert_ntstatus_ok(torture, status, "opening lsa pipe1");

	status = torture_rpc_connection(mem_ctx, &p2, &dcerpc_table_lsarpc);
	torture_assert_ntstatus_ok(torture, status, "opening lsa pipe1");

	qos.len = 0;
	qos.impersonation_level = 2;
	qos.context_mode = 1;
	qos.effective_only = 0;

	attr.len = 0;
	attr.root_dir = NULL;
	attr.object_name = NULL;
	attr.attributes = 0;
	attr.sec_desc = NULL;
	attr.sec_qos = &qos;

	r.in.system_name = &system_name;
	r.in.attr = &attr;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	r.out.handle = &handle;

	status = dcerpc_lsa_OpenPolicy(p1, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		torture_comment(torture, "lsa_OpenPolicy not supported - skipping\n");
		talloc_free(mem_ctx);
		return true;
	}

	c.in.handle = &handle;
	c.out.handle = &handle2;

	status = dcerpc_lsa_Close(p2, mem_ctx, &c);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_NET_WRITE_FAULT, 
				      "closing policy handle on p2");
	torture_assert_int_equal(torture, p2->last_fault_code, DCERPC_FAULT_CONTEXT_MISMATCH, 
				      "closing policy handle on p2");

	status = dcerpc_lsa_Close(p1, mem_ctx, &c);
	torture_assert_ntstatus_ok(torture, status, "closing policy handle on p1");

	status = dcerpc_lsa_Close(p1, mem_ctx, &c);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_NET_WRITE_FAULT, 
				      "closing policy handle on p1 again");
	torture_assert_int_equal(torture, p1->last_fault_code, DCERPC_FAULT_CONTEXT_MISMATCH, 
				      "closing policy handle on p1 again");
	
	talloc_free(mem_ctx);

	return true;
}
Exemple #14
0
static bool test_handles_lsa_shared(struct torture_context *torture)
{
	NTSTATUS status;
	struct dcerpc_pipe *p1, *p2, *p3, *p4, *p5;
	struct policy_handle handle;
	struct policy_handle handle2;
	struct lsa_ObjectAttribute attr;
	struct lsa_QosInfo qos;
	struct lsa_OpenPolicy r;
	struct lsa_Close c;
	struct lsa_QuerySecurity qsec;
	uint16_t system_name = '\\';
	TALLOC_CTX *mem_ctx = talloc_new(torture);
	enum dcerpc_transport_t transport;
	uint32_t assoc_group_id;

	torture_comment(torture, "RPC-HANDLE-LSARPC-SHARED\n");

	if (lp_parm_bool(-1, "torture", "samba4", False)) {
		torture_comment(torture, "LSA shared-policy-handle test against Samba4 - skipping\n");
		return true;
	}

	torture_comment(torture, "connect lsa pipe1\n");
	status = torture_rpc_connection(mem_ctx, &p1, &dcerpc_table_lsarpc);
	torture_assert_ntstatus_ok(torture, status, "opening lsa pipe1");

	transport	= p1->conn->transport.transport,
	assoc_group_id	= p1->assoc_group_id;

	torture_comment(torture, "use assoc_group_id[0x%08X] for new connections\n", assoc_group_id);

	torture_comment(torture, "connect lsa pipe2\n");
	status = torture_rpc_connection_transport(mem_ctx, &p2, &dcerpc_table_lsarpc,
						  transport,
						  assoc_group_id);
	torture_assert_ntstatus_ok(torture, status, "opening lsa pipe2");

	qos.len = 0;
	qos.impersonation_level = 2;
	qos.context_mode = 1;
	qos.effective_only = 0;

	attr.len = 0;
	attr.root_dir = NULL;
	attr.object_name = NULL;
	attr.attributes = 0;
	attr.sec_desc = NULL;
	attr.sec_qos = &qos;

	r.in.system_name = &system_name;
	r.in.attr = &attr;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	r.out.handle = &handle;

	torture_comment(torture, "open lsa policy handle\n");
	status = dcerpc_lsa_OpenPolicy(p1, mem_ctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		torture_comment(torture, "lsa_OpenPolicy not supported - skipping\n");
		talloc_free(mem_ctx);
		return true;
	}

	/*
	 * connect p3 after the policy handle is opened
	 */
	torture_comment(torture, "connect lsa pipe3 after the policy handle is opened\n");
	status = torture_rpc_connection_transport(mem_ctx, &p3, &dcerpc_table_lsarpc,
						  transport,
						  assoc_group_id);
	torture_assert_ntstatus_ok(torture, status, "opening lsa pipe3");

	qsec.in.handle 		= &handle;
	qsec.in.sec_info	= 0;
	c.in.handle = &handle;
	c.out.handle = &handle2;

	/*
	 * use policy handle on all 3 connections
	 */
	torture_comment(torture, "use the policy handle on p1,p2,p3\n");
	status = dcerpc_lsa_QuerySecurity(p1, mem_ctx, &qsec);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "use policy handle on p1");

	status = dcerpc_lsa_QuerySecurity(p2, mem_ctx, &qsec);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "use policy handle on p2");

	status = dcerpc_lsa_QuerySecurity(p3, mem_ctx, &qsec);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "use policy handle on p3");

	/*
	 * close policy handle on connection 2 and the others get a fault
	 */
	torture_comment(torture, "close the policy handle on p2 others get a fault\n");
	status = dcerpc_lsa_Close(p2, mem_ctx, &c);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "closing policy handle on p2");

	status = dcerpc_lsa_Close(p1, mem_ctx, &c);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_NET_WRITE_FAULT, 
				      "closing policy handle on p1 again");
	torture_assert_int_equal(torture, p1->last_fault_code, DCERPC_FAULT_CONTEXT_MISMATCH, 
				      "closing policy handle on p1 again");

	status = dcerpc_lsa_Close(p3, mem_ctx, &c);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_NET_WRITE_FAULT, 
				      "closing policy handle on p3");
	torture_assert_int_equal(torture, p1->last_fault_code, DCERPC_FAULT_CONTEXT_MISMATCH, 
				      "closing policy handle on p3");

	status = dcerpc_lsa_Close(p2, mem_ctx, &c);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_NET_WRITE_FAULT, 
				      "closing policy handle on p2 again");
	torture_assert_int_equal(torture, p1->last_fault_code, DCERPC_FAULT_CONTEXT_MISMATCH, 
				      "closing policy handle on p2 again");

	/*
	 * open a new policy handle on p3
	 */
	torture_comment(torture, "open a new policy handle on p3\n");
	status = dcerpc_lsa_OpenPolicy(p3, mem_ctx, &r);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "open policy handle on p3");

	/*
	 * use policy handle on all 3 connections
	 */
	torture_comment(torture, "use the policy handle on p1,p2,p3\n");
	status = dcerpc_lsa_QuerySecurity(p1, mem_ctx, &qsec);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "use policy handle on p1");

	status = dcerpc_lsa_QuerySecurity(p2, mem_ctx, &qsec);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "use policy handle on p2");

	status = dcerpc_lsa_QuerySecurity(p3, mem_ctx, &qsec);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "use policy handle on p3");

	/*
	 * close policy handle on connection 2 and the others get a fault
	 */
	torture_comment(torture, "close the policy handle on p2 others get a fault\n");
	status = dcerpc_lsa_Close(p2, mem_ctx, &c);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "closing policy handle on p2");

	status = dcerpc_lsa_Close(p1, mem_ctx, &c);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_NET_WRITE_FAULT, 
				      "closing policy handle on p1 again");
	torture_assert_int_equal(torture, p1->last_fault_code, DCERPC_FAULT_CONTEXT_MISMATCH, 
				      "closing policy handle on p1 again");

	status = dcerpc_lsa_Close(p3, mem_ctx, &c);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_NET_WRITE_FAULT, 
				      "closing policy handle on p3");
	torture_assert_int_equal(torture, p1->last_fault_code, DCERPC_FAULT_CONTEXT_MISMATCH, 
				      "closing policy handle on p3");

	status = dcerpc_lsa_Close(p2, mem_ctx, &c);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_NET_WRITE_FAULT, 
				      "closing policy handle on p2 again");
	torture_assert_int_equal(torture, p1->last_fault_code, DCERPC_FAULT_CONTEXT_MISMATCH, 
				      "closing policy handle on p2 again");

	/*
	 * open a new policy handle
	 */
	torture_comment(torture, "open a new policy handle on p1 and use it\n");
	status = dcerpc_lsa_OpenPolicy(p1, mem_ctx, &r);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "open 2nd policy handle on p1");

	status = dcerpc_lsa_QuerySecurity(p1, mem_ctx, &qsec);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "QuerySecurity handle on p1");

	/* close first connection */
	torture_comment(torture, "disconnect p1\n");
	talloc_free(p1);
	msleep(5);

	/*
	 * and it's still available on p2,p3
	 */
	torture_comment(torture, "use policy handle on p2,p3\n");
	status = dcerpc_lsa_QuerySecurity(p2, mem_ctx, &qsec);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "QuerySecurity handle on p2 after p1 was disconnected");

	status = dcerpc_lsa_QuerySecurity(p3, mem_ctx, &qsec);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "QuerySecurity handle on p3 after p1 was disconnected");

	/*
	 * now open p4
	 * and use the handle on it
	 */
	torture_comment(torture, "connect lsa pipe4 and use policy handle\n");
	status = torture_rpc_connection_transport(mem_ctx, &p4, &dcerpc_table_lsarpc,
						  transport,
						  assoc_group_id);
	torture_assert_ntstatus_ok(torture, status, "opening lsa pipe4");

	status = dcerpc_lsa_QuerySecurity(p4, mem_ctx, &qsec);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_OK, 
				      "using policy handle on p4");

	/*
	 * now close p2,p3,p4
	 * without closing the policy handle
	 */
	torture_comment(torture, "disconnect p2,p3,p4\n");
	talloc_free(p2);
	talloc_free(p3);
	talloc_free(p4);
	msleep(10);

	/*
	 * now open p5
	 */
	torture_comment(torture, "connect lsa pipe5 - should fail\n");
	status = torture_rpc_connection_transport(mem_ctx, &p5, &dcerpc_table_lsarpc,
						  transport,
						  assoc_group_id);
	torture_assert_ntstatus_equal(torture, status, NT_STATUS_UNSUCCESSFUL,
				      "opening lsa pipe5");

	talloc_free(mem_ctx);

	return true;
}
Exemple #15
0
static NTSTATUS rpc_rights_revoke_internal(struct net_context *c,
					const struct dom_sid *domain_sid,
					const char *domain_name,
					struct cli_state *cli,
					struct rpc_pipe_client *pipe_hnd,
					TALLOC_CTX *mem_ctx,
					int argc,
					const char **argv )
{
	struct policy_handle dom_pol;
	NTSTATUS status, result;
	struct lsa_RightSet rights;
	struct dom_sid sid;
	int i;
	struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;

	if (argc < 2 ) {
		d_printf("%s\n%s",
			 _("Usage:"),
			 _(" net rpc rights revoke <name|SID> <rights...>\n"));
		return NT_STATUS_OK;
	}

	status = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
	if (!NT_STATUS_IS_OK(status))
		return status;

	status = rpccli_lsa_open_policy2(pipe_hnd, mem_ctx, true,
				     SEC_FLAG_MAXIMUM_ALLOWED,
				     &dom_pol);

	if (!NT_STATUS_IS_OK(status))
		return status;

	rights.count = argc-1;
	rights.names = talloc_array(mem_ctx, struct lsa_StringLarge,
				    rights.count);
	if (!rights.names) {
		return NT_STATUS_NO_MEMORY;
	}

	for (i=0; i<argc-1; i++) {
		init_lsa_StringLarge(&rights.names[i], argv[i+1]);
	}

	status = dcerpc_lsa_RemoveAccountRights(b, mem_ctx,
						&dom_pol,
						&sid,
						false,
						&rights,
						&result);
	if (!NT_STATUS_IS_OK(status))
		goto done;
	if (!NT_STATUS_IS_OK(result)) {
		status = result;
		goto done;
	}

	d_printf(_("Successfully revoked rights.\n"));

done:
	if ( !NT_STATUS_IS_OK(status) ) {
		d_fprintf(stderr,_("Failed to revoke privileges for %s (%s)\n"),
			argv[0], nt_errstr(status));
	}

	dcerpc_lsa_Close(b, mem_ctx, &dom_pol, &result);

	return status;
}
Exemple #16
0
static NTSTATUS rpc_rights_list_internal(struct net_context *c,
					const struct dom_sid *domain_sid,
					const char *domain_name,
					struct cli_state *cli,
					struct rpc_pipe_client *pipe_hnd,
					TALLOC_CTX *mem_ctx,
					int argc,
					const char **argv )
{
	struct policy_handle pol;
	NTSTATUS status, result;
	struct dom_sid sid;
	fstring privname;
	struct lsa_String lsa_name;
	struct lsa_StringLarge *description = NULL;
	uint16_t lang_id = 0;
	uint16_t lang_id_sys = 0;
	uint16_t lang_id_desc;
	struct dcerpc_binding_handle *b = pipe_hnd->binding_handle;

	status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
		SEC_FLAG_MAXIMUM_ALLOWED, &pol);

	if ( !NT_STATUS_IS_OK(status) )
		return status;

	/* backwards compatibility; just list available privileges if no arguement */

	if (argc == 0) {
		status = enum_privileges(pipe_hnd, mem_ctx, &pol );
		goto done;
	}

	if (strequal(argv[0], "privileges")) {
		int i = 1;

		if (argv[1] == NULL) {
			status = enum_privileges(pipe_hnd, mem_ctx, &pol );
			goto done;
		}

		while ( argv[i] != NULL ) {
			fstrcpy(privname, argv[i]);
			init_lsa_String(&lsa_name, argv[i]);
			i++;

			/* verify that this is a valid privilege for error reporting */
			status = dcerpc_lsa_LookupPrivDisplayName(b, mem_ctx,
								  &pol,
								  &lsa_name,
								  lang_id,
								  lang_id_sys,
								  &description,
								  &lang_id_desc,
								  &result);
			if (!NT_STATUS_IS_OK(status)) {
				continue;
			}
			status = result;
			if ( !NT_STATUS_IS_OK(result) ) {
				if ( NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_PRIVILEGE))
					d_fprintf(stderr, _("No such privilege "
						  "exists: %s.\n"), privname);
				else
					d_fprintf(stderr, _("Error resolving "
						  "privilege display name "
						  "[%s].\n"),
						  nt_errstr(result));
				continue;
			}

			status = enum_accounts_for_privilege(pipe_hnd, mem_ctx, &pol, privname);
			if (!NT_STATUS_IS_OK(status)) {
				d_fprintf(stderr, _("Error enumerating "
					  "accounts for privilege %s [%s].\n"),
					  privname, nt_errstr(status));
				continue;
			}
		}
		goto done;
	}

	/* special case to enumerate all privileged SIDs with associated rights */

	if (strequal( argv[0], "accounts")) {
		int i = 1;

		if (argv[1] == NULL) {
			status = enum_privileges_for_accounts(pipe_hnd, mem_ctx, &pol);
			goto done;
		}

		while (argv[i] != NULL) {
			status = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[i]);
			if (!NT_STATUS_IS_OK(status)) {
				goto done;
			}
			status = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid);
			if (!NT_STATUS_IS_OK(status)) {
				goto done;
			}
			i++;
		}
		goto done;
	}

	/* backward comaptibility: if no keyword provided, treat the key
	   as an account name */
	if (argc > 1) {
		d_printf("%s net rpc rights list [[accounts|privileges] "
			 "[name|SID]]\n", _("Usage:"));
		status = NT_STATUS_OK;
		goto done;
	}

	status = name_to_sid(pipe_hnd, mem_ctx, &sid, argv[0]);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}
	status = enum_privileges_for_user(pipe_hnd, mem_ctx, &pol, &sid );

done:
	dcerpc_lsa_Close(b, mem_ctx, &pol, &result);

	return status;
}