diff options
author | Gregor Beck <gbeck@sernet.de> | 2011-06-09 14:32:27 +0200 |
---|---|---|
committer | Michael Adam <obnox@samba.org> | 2011-10-12 03:49:05 +0200 |
commit | 61631f427ad62d8a178f69de483500cdfa881620 (patch) | |
tree | 7e479979748798bfc864b0ce6fea8ab3b0a5eedd | |
parent | 2c78d4c89d4b5b5ba3189fc72d95fc13b5ccb02e (diff) | |
download | samba-61631f427ad62d8a178f69de483500cdfa881620.tar.gz samba-61631f427ad62d8a178f69de483500cdfa881620.tar.bz2 samba-61631f427ad62d8a178f69de483500cdfa881620.zip |
s3:smbcacls get_domain_sid for sddl parsing/formating from lsarpc
get_global_sid panics if we are not root and may give the wrong answer anyway.
Signed-off-by: Michael Adam <obnox@samba.org>
-rw-r--r-- | source3/utils/smbcacls.c | 74 |
1 files changed, 72 insertions, 2 deletions
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c index ae0afceba0..50cc9a6a0c 100644 --- a/source3/utils/smbcacls.c +++ b/source3/utils/smbcacls.c @@ -30,6 +30,7 @@ #include "libsmb/libsmb.h" #include "libsmb/clirap.h" #include "passdb/machine_sid.h" +#include "../librpc/gen_ndr/ndr_lsa_c.h" static int test_args; @@ -170,6 +171,75 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli, return status; } + +static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli, + struct dom_sid *sid) +{ + union lsa_PolicyInformation *info = NULL; + uint16 orig_cnum = cli_state_get_tid(cli); + struct rpc_pipe_client *rpc_pipe = NULL; + struct policy_handle handle; + NTSTATUS status, result; + TALLOC_CTX *frame = talloc_stackframe(); + const struct ndr_syntax_id *lsarpc_syntax = &ndr_table_lsarpc.syntax_id; + + status = cli_tcon_andx(cli, "IPC$", "?????", "", 0); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + + status = cli_rpc_pipe_open_noauth(cli, lsarpc_syntax, &rpc_pipe); + if (!NT_STATUS_IS_OK(status)) { + goto tdis; + } + + status = rpccli_lsa_open_policy(rpc_pipe, frame, True, + GENERIC_EXECUTE_ACCESS, &handle); + if (!NT_STATUS_IS_OK(status)) { + goto tdis; + } + + status = dcerpc_lsa_QueryInfoPolicy2(rpc_pipe->binding_handle, + frame, &handle, + LSA_POLICY_INFO_DOMAIN, + &info, &result); + + if (any_nt_status_not_ok(status, result, &status)) { + goto tdis; + } + + *sid = *info->domain.sid; + +tdis: + TALLOC_FREE(rpc_pipe); + cli_tdis(cli); +done: + cli_state_set_tid(cli, orig_cnum); + TALLOC_FREE(frame); + return status; +} + +struct dom_sid* get_domain_sid(struct cli_state *cli) { + NTSTATUS status; + + struct dom_sid *sid = talloc(talloc_tos(), struct dom_sid); + if (sid == NULL) { + DEBUG(0, ("Out of memory\n")); + return NULL; + } + + status = cli_lsa_lookup_domain_sid(cli, sid); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(sid); + DEBUG(0,("failed to lookup domain sid: %s\n", nt_errstr(status))); + } else { + DEBUG(2,("Domain SID: %s\n", sid_string_dbg(sid))); + } + + return sid; +} + + /* convert a SID to a string, either numeric or username/group */ static void SidToString(struct cli_state *cli, fstring str, const struct dom_sid *sid) { @@ -825,7 +895,7 @@ static int cacl_dump(struct cli_state *cli, const char *filename) if (sd) { if (sddl) { printf("%s\n", sddl_encode(talloc_tos(), sd, - get_global_sam_sid())); + get_domain_sid(cli))); } else { sec_desc_print(cli, stdout, sd); } @@ -943,7 +1013,7 @@ static int cacl_set(struct cli_state *cli, const char *filename, int result = EXIT_OK; if (sddl) { - sd = sddl_decode(talloc_tos(), the_acl, get_global_sam_sid()); + sd = sddl_decode(talloc_tos(), the_acl, get_domain_sid(cli)); } else { sd = sec_desc_parse(talloc_tos(), cli, the_acl); } |