static NTSTATUS cmd_samr_query_usergroups(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
POLICY_HND connect_pol,
domain_pol,
user_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 num_groups,
user_rid;
DOM_GID *user_gids;
int i;
fstring server;
if (argc != 2) {
printf("Usage: %s rid\n", argv[0]);
return NT_STATUS_OK;
}
sscanf(argv[1], "%i", &user_rid);
slprintf (server, sizeof(fstring)-1, "\\\\%s", cli->desthost);
strupper (server);
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = cli_samr_open_user(cli, mem_ctx, &domain_pol,
MAXIMUM_ALLOWED_ACCESS,
user_rid, &user_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = cli_samr_query_usergroups(cli, mem_ctx, &user_pol,
&num_groups, &user_gids);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
for (i = 0; i < num_groups; i++) {
printf("\tgroup rid:[0x%x] attr:[0x%x]\n",
user_gids[i].g_rid, user_gids[i].attr);
}
done:
return result;
}
static NTSTATUS cmd_samr_query_aliasmem(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
POLICY_HND connect_pol, domain_pol, alias_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 alias_rid, num_members, i;
DOM_SID *alias_sids;
if (argc != 2) {
printf("Usage: %s rid\n", argv[0]);
return NT_STATUS_OK;
}
sscanf(argv[1], "%i", &alias_rid);
/* Open SAMR handle */
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Open handle on domain */
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Open handle on alias */
result = cli_samr_open_alias(cli, mem_ctx, &domain_pol,
MAXIMUM_ALLOWED_ACCESS,
alias_rid, &alias_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = cli_samr_query_aliasmem(cli, mem_ctx, &alias_pol,
&num_members, &alias_sids);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
for (i = 0; i < num_members; i++) {
fstring sid_str;
sid_to_string(sid_str, &alias_sids[i]);
printf("\tsid:[%s]\n", sid_str);
}
done:
return result;
}
static NTSTATUS cmd_samr_enum_als_groups(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
POLICY_HND connect_pol, domain_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 start_idx, size, num_dom_groups, i;
struct acct_info *dom_groups;
DOM_SID global_sid_Builtin;
string_to_sid(&global_sid_Builtin, "S-1-5-32");
if (argc != 2) {
printf("Usage: %s builtin|domain\n", argv[0]);
return NT_STATUS_OK;
}
/* Get sam policy handle */
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Get domain policy handle */
if (StrCaseCmp(argv[1], "domain")==0)
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
else if (StrCaseCmp(argv[1], "builtin")==0)
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&global_sid_Builtin, &domain_pol);
else
return NT_STATUS_OK;
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Enumerate domain groups */
start_idx = 0;
size = 0xffff;
result = cli_samr_enum_als_groups(cli, mem_ctx, &domain_pol,
&start_idx, size,
&dom_groups, &num_dom_groups);
for (i = 0; i < num_dom_groups; i++)
printf("group:[%s] rid:[0x%x]\n", dom_groups[i].acct_name,
dom_groups[i].rid);
done:
return result;
}
static NTSTATUS cmd_samr_lookup_rids(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
POLICY_HND connect_pol, domain_pol;
uint32 flags = 0x000003e8; /* Unknown */
uint32 num_rids, num_names, *rids, *name_types;
char **names;
int i;
if (argc < 2) {
printf("Usage: %s rid1 [rid2 [rid3] [...]]\n", argv[0]);
return NT_STATUS_OK;
}
/* Get sam policy and domain handles */
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Look up rids */
num_rids = argc - 1;
rids = (uint32 *)talloc(mem_ctx, sizeof(uint32) * num_rids);
for (i = 0; i < argc - 1; i++)
sscanf(argv[i + 1], "%i", &rids[i]);
result = cli_samr_lookup_rids(cli, mem_ctx, &domain_pol,
flags, num_rids, rids,
&num_names, &names, &name_types);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Display results */
for (i = 0; i < num_names; i++)
printf("rid 0x%x: %s (%d)\n", rids[i], names[i], name_types[i]);
done:
return result;
}
/**********************************************************************
* Query user information
*/
static NTSTATUS cmd_samr_query_user(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
POLICY_HND connect_pol, domain_pol, user_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 info_level = 21;
SAM_USERINFO_CTR *user_ctr;
fstring server;
uint32 user_rid;
if (argc != 2) {
printf("Usage: %s rid\n", argv[0]);
return NT_STATUS_OK;
}
sscanf(argv[1], "%i", &user_rid);
slprintf (server, sizeof(fstring)-1, "\\\\%s", cli->desthost);
strupper (server);
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = cli_samr_open_user(cli, mem_ctx, &domain_pol,
MAXIMUM_ALLOWED_ACCESS,
user_rid, &user_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
ZERO_STRUCT(user_ctr);
result = cli_samr_query_userinfo(cli, mem_ctx, &user_pol,
info_level, &user_ctr);
if (!NT_STATUS_IS_OK(result))
goto done;
display_sam_user_info_21(user_ctr->info.id21);
done:
return result;
}
/****************************************************************************
Try samr_connect4 first, then samr_conenct if it fails
****************************************************************************/
static NTSTATUS try_samr_connects(struct cli_state *cli, TALLOC_CTX *mem_ctx,
uint32 access_mask, POLICY_HND *connect_pol)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
result = cli_samr_connect4(cli, mem_ctx, access_mask, connect_pol);
if (!NT_STATUS_IS_OK(result)) {
result = cli_samr_connect(cli, mem_ctx, access_mask,
connect_pol);
}
return result;
}
/***********************************************************************
* Query group information
*/
static NTSTATUS cmd_samr_query_group(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
POLICY_HND connect_pol, domain_pol, group_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 info_level = 1;
GROUP_INFO_CTR *group_ctr;
fstring server;
uint32 group_rid;
if (argc != 2) {
printf("Usage: %s rid\n", argv[0]);
return NT_STATUS_OK;
}
sscanf(argv[1], "%i", &group_rid);
slprintf (server, sizeof(fstring)-1, "\\\\%s", cli->desthost);
strupper (server);
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = cli_samr_open_group(cli, mem_ctx, &domain_pol,
MAXIMUM_ALLOWED_ACCESS,
group_rid, &group_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = cli_samr_query_groupinfo(cli, mem_ctx, &group_pol,
info_level, &group_ctr);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
display_group_info_ctr(group_ctr);
done:
return result;
}
static NTSTATUS cmd_samr_create_dom_user(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
POLICY_HND connect_pol, domain_pol, user_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
char *acct_name;
uint16 acb_info;
uint32 unknown, user_rid;
if (argc != 2) {
printf("Usage: %s username\n", argv[0]);
return NT_STATUS_OK;
}
acct_name = argv[1];
/* Get sam policy handle */
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Get domain policy handle */
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Create domain user */
acb_info = ACB_NORMAL;
unknown = 0xe005000b; /* No idea what this is - a permission mask? */
result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol,
acct_name, acb_info, unknown,
&user_pol, &user_rid);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
done:
return result;
}
static NTSTATUS cmd_samr_enum_dom_groups(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
POLICY_HND connect_pol, domain_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 start_idx, size, num_dom_groups, i;
struct acct_info *dom_groups;
if (argc != 1) {
printf("Usage: %s\n", argv[0]);
return NT_STATUS_OK;
}
/* Get sam policy handle */
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Get domain policy handle */
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Enumerate domain groups */
start_idx = 0;
size = 0xffff;
result = cli_samr_enum_dom_groups(cli, mem_ctx, &domain_pol,
&start_idx, size,
&dom_groups, &num_dom_groups);
for (i = 0; i < num_dom_groups; i++)
printf("group:[%s] rid:[0x%x]\n", dom_groups[i].acct_name,
dom_groups[i].rid);
done:
return result;
}
static NTSTATUS cmd_samr_query_dominfo(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
POLICY_HND connect_pol, domain_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
int switch_value = 2;
SAM_UNK_CTR ctr;
if (argc > 2) {
printf("Usage: %s [infolevel]\n", argv[0]);
return NT_STATUS_OK;
}
if (argc == 2)
sscanf(argv[1], "%i", &switch_value);
/* Get sam policy handle */
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Get domain policy handle */
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Query domain info */
result = cli_samr_query_dom_info(cli, mem_ctx, &domain_pol,
switch_value, &ctr);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Display domain info */
switch (switch_value) {
case 1:
display_sam_unk_info_1(&ctr.info.inf1);
break;
case 2:
display_sam_unk_info_2(&ctr.info.inf2);
break;
default:
printf("cannot display domain info for switch value %d\n",
switch_value);
break;
}
done:
cli_samr_close(cli, mem_ctx, &domain_pol);
cli_samr_close(cli, mem_ctx, &connect_pol);
return result;
}
static NTSTATUS cmd_samr_query_dispinfo(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
POLICY_HND connect_pol, domain_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 start_idx=0, max_entries=250, max_size = 0xffff, num_entries, i;
int info_level = 1;
SAM_DISPINFO_CTR ctr;
SAM_DISPINFO_1 info1;
SAM_DISPINFO_2 info2;
SAM_DISPINFO_3 info3;
SAM_DISPINFO_4 info4;
SAM_DISPINFO_5 info5;
int loop_count = 0;
BOOL got_params = False; /* Use get_query_dispinfo_params() or not? */
if (argc > 4) {
printf("Usage: %s [info level] [start index] [max entries] [max_size]\n", argv[0]);
return NT_STATUS_OK;
}
if (argc >= 2)
sscanf(argv[1], "%i", &info_level);
if (argc >= 3)
sscanf(argv[2], "%i", &start_idx);
if (argc >= 4) {
sscanf(argv[3], "%i", &max_entries);
got_params = True;
}
if (argc >= 5) {
sscanf(argv[4], "%i", &max_size);
got_params = True;
}
/* Get sam policy handle */
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS, &connect_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Get domain policy handle */
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Query display info */
ZERO_STRUCT(ctr);
ZERO_STRUCT(info1);
switch (info_level) {
case 1:
ZERO_STRUCT(info1);
ctr.sam.info1 = &info1;
break;
case 2:
ZERO_STRUCT(info2);
ctr.sam.info2 = &info2;
break;
case 3:
ZERO_STRUCT(info3);
ctr.sam.info3 = &info3;
break;
case 4:
ZERO_STRUCT(info4);
ctr.sam.info4 = &info4;
break;
case 5:
ZERO_STRUCT(info5);
ctr.sam.info5 = &info5;
break;
}
do {
if (!got_params)
get_query_dispinfo_params(
loop_count, &max_entries, &max_size);
result = cli_samr_query_dispinfo(cli, mem_ctx, &domain_pol,
&start_idx, info_level,
&num_entries, max_entries,
max_size, &ctr);
loop_count++;
for (i = 0; i < num_entries; i++) {
switch (info_level) {
case 1:
display_sam_info_1(&ctr.sam.info1->sam[i], &ctr.sam.info1->str[i]);
break;
case 2:
display_sam_info_2(&ctr.sam.info2->sam[i], &ctr.sam.info2->str[i]);
break;
case 3:
display_sam_info_3(&ctr.sam.info3->sam[i], &ctr.sam.info3->str[i]);
break;
case 4:
display_sam_info_4(&ctr.sam.info4->sam[i], &ctr.sam.info4->str[i]);
break;
case 5:
display_sam_info_5(&ctr.sam.info5->sam[i], &ctr.sam.info5->str[i]);
break;
}
}
} while (!NT_STATUS_IS_OK(result));
done:
return result;
}
static int join_domain_byuser(char *domain, const char *remote,
char *username, char *password)
{
/* libsmb variables */
pstring pdc_name;
struct nmb_name calling, called;
struct ntuser_creds creds;
struct cli_state cli;
fstring acct_name;
struct in_addr dest_ip;
TALLOC_CTX *mem_ctx;
/* rpc variables */
POLICY_HND lsa_pol, sam_pol, domain_pol, user_pol;
DOM_SID domain_sid;
uint32 user_rid;
/* Password stuff */
char *machine_pwd;
int plen = 0;
uchar pwbuf[516], ntpw[16], sess_key[16];
SAM_USERINFO_CTR ctr;
SAM_USER_INFO_24 p24;
SAM_USER_INFO_10 p10;
/* Misc */
NTSTATUS result;
int retval = 1;
pstrcpy(pdc_name, remote ? remote : "");
/* Connect to remote machine */
ZERO_STRUCT(cli);
ZERO_STRUCT(creds);
ZERO_STRUCT(dest_ip); /* Make sure no nasty surprises */
if (!(mem_ctx = talloc_init())) {
DEBUG(0, ("Could not initialise talloc context\n"));
goto done;
}
if (!cli_initialise(&cli)) {
DEBUG(0, ("Could not initialise client structure\n"));
goto done;
}
init_rpcclient_creds(&creds, username, domain, password);
cli_init_creds(&cli, &creds);
/*
* If we are given a remote machine assume this is the PDC.
*/
if(remote == NULL || !strcmp(remote, "*")) {
struct in_addr *ip_list;
int addr_count;
if (!get_dc_list(True /* PDC only*/, domain, &ip_list, &addr_count)) {
fprintf(stderr, "Unable to find the domain controller for domain %s.\n", domain);
return 1;
}
if ((addr_count < 1) || (is_zero_ip(ip_list[0]))) {
fprintf(stderr, "Incorrect entries returned when finding the domain controller for domain %s.\n", domain);
return 1;
}
if (!lookup_dc_name(global_myname, domain, &ip_list[0], pdc_name)) {
fprintf(stderr, "Unable to lookup the name for the domain controller for domain %s.\n", domain);
return 1;
}
dest_ip = ip_list[0];
}
make_nmb_name(&called, pdc_name, 0x20);
make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0);
if (!cli_establish_connection(&cli, pdc_name, &dest_ip, &calling,
&called, "IPC$", "IPC", False, True)) {
if (!NT_STATUS_IS_OK(cli_nt_error(&cli))) {
DEBUG(0, ("Error connecting to %s - %s\n", pdc_name,cli_errstr(&cli)));
} else {
DEBUG(0, ("Error connecting to %s\n", pdc_name));
}
goto done;
}
/* Fetch domain sid */
if (!cli_nt_session_open(&cli, PIPE_LSARPC)) {
DEBUG(0, ("Error connecting to SAM pipe\n"));
goto done;
}
CHECK_RPC_ERR(cli_lsa_open_policy(&cli, mem_ctx, True,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&lsa_pol),
"error opening lsa policy handle");
CHECK_RPC_ERR(cli_lsa_query_info_policy(&cli, mem_ctx, &lsa_pol,
5, domain, &domain_sid),
"error querying info policy");
cli_lsa_close(&cli, mem_ctx, &lsa_pol);
cli_nt_session_close(&cli); /* Done with this pipe */
/* Create domain user */
if (!cli_nt_session_open(&cli, PIPE_SAMR)) {
DEBUG(0, ("Error connecting to SAM pipe\n"));
goto done;
}
CHECK_RPC_ERR(cli_samr_connect(&cli, mem_ctx,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&sam_pol),
"could not connect to SAM database");
CHECK_RPC_ERR(cli_samr_open_domain(&cli, mem_ctx, &sam_pol,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&domain_sid, &domain_pol),
"could not open domain");
/* Create domain user */
fstrcpy(acct_name, global_myname);
fstrcat(acct_name, "$");
strlower(acct_name);
{
uint32 unknown = 0xe005000b;
result = cli_samr_create_dom_user(&cli, mem_ctx, &domain_pol,
acct_name, ACB_WSTRUST,
unknown, &user_pol,
&user_rid);
}
if (NT_STATUS_IS_OK(result)) {
/* We *must* do this.... don't ask... */
CHECK_RPC_ERR_DEBUG(cli_samr_close(&cli, mem_ctx, &user_pol), ("error closing user policy"));
result = NT_STATUS_USER_EXISTS;
}
if (NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_USER_EXISTS)) {
uint32 num_rids, *name_types, *user_rids;
uint32 flags = 0x3e8;
const char *names;
/* Look up existing rid */
names = (char *)&acct_name[0];
CHECK_RPC_ERR_DEBUG(
cli_samr_lookup_names(&cli, mem_ctx,
&domain_pol, flags,
1, &names, &num_rids,
&user_rids, &name_types),
("error looking up rid for user %s: %s\n",
acct_name, get_nt_error_msg(result)));
if (name_types[0] != SID_NAME_USER) {
DEBUG(0, ("%s is not a user account\n", acct_name));
goto done;
}
user_rid = user_rids[0];
/* Open handle on user */
CHECK_RPC_ERR_DEBUG(
cli_samr_open_user(&cli, mem_ctx, &domain_pol,
SEC_RIGHTS_MAXIMUM_ALLOWED,
user_rid, &user_pol),
("could not re-open existing user %s: %s\n",
acct_name, get_nt_error_msg(result)));
} else if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("error creating domain user: %s\n",
get_nt_error_msg(result)));
goto done;
}
/* Create a random machine account password */
{
UNISTR2 upw; /* Unicode password */
upw.buffer = (uint16 *)talloc_zero(mem_ctx, 0xc *
sizeof(uint16));
upw.uni_str_len = 0xc;
upw.uni_max_len = 0xc;
machine_pwd = (char *)upw.buffer;
plen = upw.uni_str_len * 2;
generate_random_buffer((unsigned char *)machine_pwd, plen, True);
encode_pw_buffer((char *)pwbuf, machine_pwd, plen, False);
mdfour( ntpw, (unsigned char *)upw.buffer, plen);
}
/* Set password on machine account */
ZERO_STRUCT(ctr);
ZERO_STRUCT(p24);
init_sam_user_info24(&p24, (char *)pwbuf,24);
ctr.switch_value = 24;
ctr.info.id24 = &p24;
/* I don't think this is quite the right place for this
calculation. It should be moved somewhere where the credentials
are calculated. )-: */
mdfour(sess_key, cli.pwd.smb_nt_pwd, 16);
CHECK_RPC_ERR(cli_samr_set_userinfo(&cli, mem_ctx, &user_pol, 24,
sess_key, &ctr),
"error setting trust account password");
/* Why do we have to try to (re-)set the ACB to be the same as what
we passed in the samr_create_dom_user() call? When a NT
workstation is joined to a domain by an administrator the
acb_info is set to 0x80. For a normal user with "Add
workstations to the domain" rights the acb_info is 0x84. I'm
not sure whether it is supposed to make a difference or not. NT
seems to cope with either value so don't bomb out if the set
userinfo2 level 0x10 fails. -tpot */
ZERO_STRUCT(ctr);
ctr.switch_value = 0x10;
ctr.info.id10 = &p10;
init_sam_user_info10(&p10, ACB_WSTRUST);
/* Ignoring the return value is necessary for joining a domain
as a normal user with "Add workstation to domain" privilege. */
result = cli_samr_set_userinfo2(&cli, mem_ctx, &user_pol, 0x10,
sess_key, &ctr);
/* Now store the secret in the secrets database */
strupper(domain);
if (!secrets_store_domain_sid(domain, &domain_sid) ||
!secrets_store_trust_account_password(domain, ntpw)) {
DEBUG(0, ("error storing domain secrets\n"));
goto done;
}
retval = 0; /* Success! */
done:
/* Close down pipe - this will clean up open policy handles */
if (cli.nt_pipe_fnum)
cli_nt_session_close(&cli);
/* Display success or failure */
if (retval != 0) {
trust_password_delete(domain);
fprintf(stderr,"Unable to join domain %s.\n",domain);
} else {
printf("Joined domain %s.\n",domain);
}
return retval;
}
/**********************************************************************
* Query user security object
*/
static NTSTATUS cmd_samr_query_sec_obj(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
POLICY_HND connect_pol, domain_pol, user_pol, *pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 info_level = 4;
fstring server;
uint32 user_rid = 0;
TALLOC_CTX *ctx = NULL;
SEC_DESC_BUF *sec_desc_buf=NULL;
BOOL domain = False;
ctx=talloc_init();
if (argc > 2) {
printf("Usage: %s [rid|-d]\n", argv[0]);
printf("\tSpecify rid for security on user, -d for security on domain\n");
return NT_STATUS_OK;
}
if (argc == 2) {
if (strcmp(argv[1], "-d") == 0)
domain = True;
else
sscanf(argv[1], "%i", &user_rid);
}
slprintf (server, sizeof(fstring)-1, "\\\\%s", cli->desthost);
strupper (server);
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
if (domain || user_rid)
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
if (user_rid)
result = cli_samr_open_user(cli, mem_ctx, &domain_pol,
MAXIMUM_ALLOWED_ACCESS,
user_rid, &user_pol);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Pick which query pol to use */
pol = &connect_pol;
if (domain)
pol = &domain_pol;
if (user_rid)
pol = &user_pol;
/* Query SAM security object */
result = cli_samr_query_sec_obj(cli, mem_ctx, pol, info_level, ctx,
&sec_desc_buf);
if (!NT_STATUS_IS_OK(result))
goto done;
display_sec_desc(sec_desc_buf->sec);
done:
talloc_destroy(ctx);
return result;
}
static NTSTATUS cmd_samr_delete_dom_user(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
POLICY_HND connect_pol, domain_pol, user_pol;
if (argc != 2) {
printf("Usage: %s username\n", argv[0]);
return NT_STATUS_OK;
}
/* Get sam policy and domain handles */
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Get handle on user */
{
uint32 *user_rids, num_rids, *name_types;
uint32 flags = 0x000003e8; /* Unknown */
result = cli_samr_lookup_names(cli, mem_ctx, &domain_pol,
flags, 1, (const char **)&argv[1],
&num_rids, &user_rids,
&name_types);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
result = cli_samr_open_user(cli, mem_ctx, &domain_pol,
MAXIMUM_ALLOWED_ACCESS,
user_rids[0], &user_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
}
/* Delete user */
result = cli_samr_delete_dom_user(cli, mem_ctx, &user_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Display results */
done:
return result;
}
static PyObject *samr_connect(PyObject *self, PyObject *args, PyObject *kw)
{
static char *kwlist[] = { "server", "creds", "access", NULL };
uint32 desired_access = MAXIMUM_ALLOWED_ACCESS;
char *server, *errstr;
struct cli_state *cli = NULL;
POLICY_HND hnd;
TALLOC_CTX *mem_ctx = NULL;
PyObject *result = NULL, *creds = NULL;
NTSTATUS ntstatus;
if (!PyArg_ParseTupleAndKeywords(
args, kw, "s|Oi", kwlist, &server, &creds,
&desired_access))
return NULL;
if (server[0] != '\\' || server[1] != '\\') {
PyErr_SetString(PyExc_ValueError, "UNC name required");
return NULL;
}
server += 2;
if (creds && creds != Py_None && !PyDict_Check(creds)) {
PyErr_SetString(PyExc_TypeError,
"credentials must be dictionary or None");
return NULL;
}
if (!(cli = open_pipe_creds(server, creds, PI_SAMR, &errstr))) {
PyErr_SetString(samr_error, errstr);
free(errstr);
return NULL;
}
if (!(mem_ctx = talloc_init("samr_connect"))) {
PyErr_SetString(samr_ntstatus,
"unable to init talloc context\n");
goto done;
}
ntstatus = cli_samr_connect(cli, mem_ctx, desired_access, &hnd);
if (!NT_STATUS_IS_OK(ntstatus)) {
cli_shutdown(cli);
PyErr_SetObject(samr_ntstatus, py_ntstatus_tuple(ntstatus));
goto done;
}
result = new_samr_connect_hnd_object(cli, mem_ctx, &hnd);
done:
if (!result) {
if (cli)
cli_shutdown(cli);
if (mem_ctx)
talloc_destroy(mem_ctx);
}
return result;
}
static NTSTATUS cmd_samr_lookup_names(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
POLICY_HND connect_pol, domain_pol;
uint32 flags = 0x000003e8; /* Unknown */
uint32 num_rids, num_names, *name_types, *rids;
const char **names;
int i;
DOM_SID global_sid_Builtin;
string_to_sid(&global_sid_Builtin, "S-1-5-32");
if (argc < 3) {
printf("Usage: %s domain|builtin name1 [name2 [name3] [...]]\n", argv[0]);
printf("check on the domain SID: S-1-5-21-x-y-z\n");
printf("or check on the builtin SID: S-1-5-32\n");
return NT_STATUS_OK;
}
/* Get sam policy and domain handles */
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
if (StrCaseCmp(argv[1], "domain")==0)
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
else if (StrCaseCmp(argv[1], "builtin")==0)
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&global_sid_Builtin, &domain_pol);
else
return NT_STATUS_OK;
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Look up names */
num_names = argc - 2;
names = (const char **)talloc(mem_ctx, sizeof(char *) * num_names);
for (i = 0; i < argc - 2; i++)
names[i] = argv[i + 2];
result = cli_samr_lookup_names(cli, mem_ctx, &domain_pol,
flags, num_names, names,
&num_rids, &rids, &name_types);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
/* Display results */
for (i = 0; i < num_names; i++)
printf("name %s: 0x%x (%d)\n", names[i], rids[i],
name_types[i]);
done:
return result;
}
int net_rpc_join_newstyle(int argc, const char **argv)
{
/* libsmb variables */
struct cli_state *cli;
TALLOC_CTX *mem_ctx;
uint32 acb_info = ACB_WSTRUST;
uint32 sec_channel_type;
/* rpc variables */
POLICY_HND lsa_pol, sam_pol, domain_pol, user_pol;
DOM_SID *domain_sid;
uint32 user_rid;
/* Password stuff */
char *clear_trust_password = NULL;
uchar pwbuf[516];
SAM_USERINFO_CTR ctr;
SAM_USER_INFO_24 p24;
SAM_USER_INFO_10 p10;
uchar md4_trust_password[16];
/* Misc */
NTSTATUS result;
int retval = 1;
char *domain;
uint32 num_rids, *name_types, *user_rids;
uint32 flags = 0x3e8;
char *acct_name;
const char *const_acct_name;
/* check what type of join */
if (argc >= 0) {
sec_channel_type = get_sec_channel_type(argv[0]);
} else {
sec_channel_type = get_sec_channel_type(NULL);
}
switch (sec_channel_type) {
case SEC_CHAN_WKSTA:
acb_info = ACB_WSTRUST;
break;
case SEC_CHAN_BDC:
acb_info = ACB_SVRTRUST;
break;
#if 0
case SEC_CHAN_DOMAIN:
acb_info = ACB_DOMTRUST;
break;
#endif
}
/* Connect to remote machine */
if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC)))
return 1;
if (!(mem_ctx = talloc_init("net_rpc_join_newstyle"))) {
DEBUG(0, ("Could not initialise talloc context\n"));
goto done;
}
/* Fetch domain sid */
if (!cli_nt_session_open(cli, PI_LSARPC)) {
DEBUG(0, ("Error connecting to LSA pipe\n"));
goto done;
}
CHECK_RPC_ERR(cli_lsa_open_policy(cli, mem_ctx, True,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&lsa_pol),
"error opening lsa policy handle");
CHECK_RPC_ERR(cli_lsa_query_info_policy(cli, mem_ctx, &lsa_pol,
5, &domain, &domain_sid),
"error querying info policy");
cli_lsa_close(cli, mem_ctx, &lsa_pol);
cli_nt_session_close(cli); /* Done with this pipe */
/* Create domain user */
if (!cli_nt_session_open(cli, PI_SAMR)) {
DEBUG(0, ("Error connecting to SAM pipe\n"));
goto done;
}
CHECK_RPC_ERR(cli_samr_connect(cli, mem_ctx,
SEC_RIGHTS_MAXIMUM_ALLOWED,
&sam_pol),
"could not connect to SAM database");
CHECK_RPC_ERR(cli_samr_open_domain(cli, mem_ctx, &sam_pol,
SEC_RIGHTS_MAXIMUM_ALLOWED,
domain_sid, &domain_pol),
"could not open domain");
/* Create domain user */
acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname());
strlower_m(acct_name);
const_acct_name = acct_name;
result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol,
acct_name, acb_info,
0xe005000b, &user_pol,
&user_rid);
if (!NT_STATUS_IS_OK(result) &&
!NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) {
d_printf("Creation of workstation account failed\n");
/* If NT_STATUS_ACCESS_DENIED then we have a valid
username/password combo but the user does not have
administrator access. */
if (NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED))
d_printf("User specified does not have administrator privileges\n");
goto done;
}
/* We *must* do this.... don't ask... */
if (NT_STATUS_IS_OK(result))
cli_samr_close(cli, mem_ctx, &user_pol);
CHECK_RPC_ERR_DEBUG(cli_samr_lookup_names(cli, mem_ctx,
&domain_pol, flags,
1, &const_acct_name,
&num_rids,
&user_rids, &name_types),
("error looking up rid for user %s: %s\n",
acct_name, nt_errstr(result)));
if (name_types[0] != SID_NAME_USER) {
DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types[0]));
goto done;
}
user_rid = user_rids[0];
/* Open handle on user */
CHECK_RPC_ERR_DEBUG(
cli_samr_open_user(cli, mem_ctx, &domain_pol,
SEC_RIGHTS_MAXIMUM_ALLOWED,
user_rid, &user_pol),
("could not re-open existing user %s: %s\n",
acct_name, nt_errstr(result)));
/* Create a random machine account password */
{
char *str;
str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
clear_trust_password = SMB_STRDUP(str);
E_md4hash(clear_trust_password, md4_trust_password);
}
encode_pw_buffer(pwbuf, clear_trust_password, STR_UNICODE);
/* Set password on machine account */
ZERO_STRUCT(ctr);
ZERO_STRUCT(p24);
init_sam_user_info24(&p24, (char *)pwbuf,24);
ctr.switch_value = 24;
ctr.info.id24 = &p24;
CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24,
&cli->user_session_key, &ctr),
"error setting trust account password");
/* Why do we have to try to (re-)set the ACB to be the same as what
we passed in the samr_create_dom_user() call? When a NT
workstation is joined to a domain by an administrator the
acb_info is set to 0x80. For a normal user with "Add
workstations to the domain" rights the acb_info is 0x84. I'm
not sure whether it is supposed to make a difference or not. NT
seems to cope with either value so don't bomb out if the set
userinfo2 level 0x10 fails. -tpot */
ZERO_STRUCT(ctr);
ctr.switch_value = 0x10;
ctr.info.id10 = &p10;
init_sam_user_info10(&p10, acb_info);
/* Ignoring the return value is necessary for joining a domain
as a normal user with "Add workstation to domain" privilege. */
result = cli_samr_set_userinfo2(cli, mem_ctx, &user_pol, 0x10,
&cli->user_session_key, &ctr);
/* Now check the whole process from top-to-bottom */
cli_samr_close(cli, mem_ctx, &user_pol);
cli_nt_session_close(cli); /* Done with this pipe */
if (!cli_nt_session_open(cli, PI_NETLOGON)) {
DEBUG(0,("Error connecting to NETLOGON pipe\n"));
goto done;
}
/* ensure that schannel uses the right domain */
fstrcpy(cli->domain, domain);
result = cli_nt_establish_netlogon(cli, sec_channel_type,
md4_trust_password);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("Error domain join verification (reused connection): %s\n\n",
nt_errstr(result)));
if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) &&
(sec_channel_type == SEC_CHAN_BDC) ) {
d_printf("Please make sure that no computer account\n"
"named like this machine (%s) exists in the domain\n",
global_myname());
}
goto done;
}
/* Now store the secret in the secrets database */
strupper_m(domain);
if (!secrets_store_domain_sid(domain, domain_sid)) {
DEBUG(0, ("error storing domain sid for %s\n", domain));
goto done;
}
if (!secrets_store_machine_password(clear_trust_password, domain, sec_channel_type)) {
DEBUG(0, ("error storing plaintext domain secrets for %s\n", domain));
}
/* double-check, connection from scratch */
retval = net_rpc_join_ok(domain);
done:
/* Close down pipe - this will clean up open policy handles */
if (cli->nt_pipe_fnum[cli->pipe_idx])
cli_nt_session_close(cli);
/* Display success or failure */
if (retval != 0) {
fprintf(stderr,"Unable to join domain %s.\n",domain);
} else {
printf("Joined domain %s.\n",domain);
}
cli_shutdown(cli);
SAFE_FREE(clear_trust_password);
return retval;
}
static NTSTATUS cmd_samr_query_useraliases(struct cli_state *cli,
TALLOC_CTX *mem_ctx,
int argc, char **argv)
{
POLICY_HND connect_pol, domain_pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 user_rid, num_aliases, *alias_rids;
int i;
fstring server;
DOM_SID tmp_sid;
DOM_SID2 sid;
DOM_SID global_sid_Builtin;
string_to_sid(&global_sid_Builtin, "S-1-5-32");
if (argc != 3) {
printf("Usage: %s builtin|domain rid\n", argv[0]);
return NT_STATUS_OK;
}
sscanf(argv[2], "%i", &user_rid);
slprintf (server, sizeof(fstring)-1, "\\\\%s", cli->desthost);
strupper (server);
result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
&connect_pol);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
if (StrCaseCmp(argv[1], "domain")==0)
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&domain_sid, &domain_pol);
else if (StrCaseCmp(argv[1], "builtin")==0)
result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
MAXIMUM_ALLOWED_ACCESS,
&global_sid_Builtin, &domain_pol);
else
return NT_STATUS_OK;
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
sid_copy(&tmp_sid, &domain_sid);
sid_append_rid(&tmp_sid, user_rid);
init_dom_sid2(&sid, &tmp_sid);
result = cli_samr_query_useraliases(cli, mem_ctx, &domain_pol, 1, &sid, &num_aliases, &alias_rids);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
for (i = 0; i < num_aliases; i++) {
printf("\tgroup rid:[0x%x]\n", alias_rids[i]);
}
done:
return result;
}
