diff options
author | Andrew Tridgell <tridge@samba.org> | 2003-01-28 21:31:45 +0000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2003-01-28 21:31:45 +0000 |
commit | 79b26867c0ff712e9400f06fdb0a65bcb5e668b7 (patch) | |
tree | 9a5cf66cb51cf255321d3e3d419bfe1d1552d4b1 | |
parent | 4571637a4bdd0d63367186f5612e49934fe568f6 (diff) | |
download | samba-79b26867c0ff712e9400f06fdb0a65bcb5e668b7.tar.gz samba-79b26867c0ff712e9400f06fdb0a65bcb5e668b7.tar.bz2 samba-79b26867c0ff712e9400f06fdb0a65bcb5e668b7.zip |
added LsaRemoveAccountRights
this now gives us complete remove privileges control in the client
libs, so we are in good shape for starting on the server side.
(This used to be commit bf99440398db86f46233eb2f5adddffb61280a1b)
-rw-r--r-- | source3/include/rpc_lsa.h | 23 | ||||
-rw-r--r-- | source3/rpc_client/cli_lsarpc.c | 42 | ||||
-rw-r--r-- | source3/rpc_parse/parse_lsa.c | 61 | ||||
-rw-r--r-- | source3/rpcclient/cmd_lsarpc.c | 41 |
4 files changed, 163 insertions, 4 deletions
diff --git a/source3/include/rpc_lsa.h b/source3/include/rpc_lsa.h index 78dbae4cdf..33dde6e3cb 100644 --- a/source3/include/rpc_lsa.h +++ b/source3/include/rpc_lsa.h @@ -516,14 +516,14 @@ typedef struct lsa_r_enum_privs } LSA_R_ENUM_PRIVS; /* LSA_Q_ENUM_ACCT_RIGHTS - LSA enum account rights */ -typedef struct lsa_q_enum_acct_rights +typedef struct { POLICY_HND pol; /* policy handle */ DOM_SID2 sid; } LSA_Q_ENUM_ACCT_RIGHTS; /* LSA_R_ENUM_ACCT_RIGHTS - LSA enum account rights */ -typedef struct lsa_r_enum_acct_rights +typedef struct { uint32 count; UNISTR2_ARRAY rights; @@ -541,12 +541,29 @@ typedef struct } LSA_Q_ADD_ACCT_RIGHTS; /* LSA_R_ADD_ACCT_RIGHTS - LSA add account rights */ -typedef struct lsa_r_add_acct_rights +typedef struct { NTSTATUS status; } LSA_R_ADD_ACCT_RIGHTS; +/* LSA_Q_REMOVE_ACCT_RIGHTS - LSA remove account rights */ +typedef struct +{ + POLICY_HND pol; /* policy handle */ + DOM_SID2 sid; + uint32 removeall; + UNISTR2_ARRAY rights; + uint32 count; +} LSA_Q_REMOVE_ACCT_RIGHTS; + +/* LSA_R_REMOVE_ACCT_RIGHTS - LSA remove account rights */ +typedef struct +{ + NTSTATUS status; +} LSA_R_REMOVE_ACCT_RIGHTS; + + /* LSA_Q_PRIV_GET_DISPNAME - LSA get privilege display name */ typedef struct lsa_q_priv_get_dispname { diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index 625e06f3ba..84b5aa725a 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -1250,6 +1250,48 @@ done: } +/* remove account rights for an account. */ + +NTSTATUS cli_lsa_remove_account_rights(struct cli_state *cli, TALLOC_CTX *mem_ctx, + POLICY_HND *pol, DOM_SID sid, BOOL removeall, + uint32 count, const char **privs_name) +{ + prs_struct qbuf, rbuf; + LSA_Q_REMOVE_ACCT_RIGHTS q; + LSA_R_REMOVE_ACCT_RIGHTS r; + NTSTATUS result; + + ZERO_STRUCT(q); + + /* Initialise parse structures */ + prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); + prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); + + /* Marshall data and send request */ + init_q_remove_acct_rights(&q, pol, &sid, removeall?1:0, count, privs_name); + + if (!lsa_io_q_remove_acct_rights("", &q, &qbuf, 0) || + !rpc_api_pipe_req(cli, LSA_REMOVEACCTRIGHTS, &qbuf, &rbuf)) { + result = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + /* Unmarshall response */ + + if (!lsa_io_r_remove_acct_rights("", &r, &rbuf, 0)) { + result = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + if (!NT_STATUS_IS_OK(result = r.status)) { + goto done; + } +done: + + return result; +} + + #if 0 /** An example of how to use the routines in this file. Fetch a DOMAIN diff --git a/source3/rpc_parse/parse_lsa.c b/source3/rpc_parse/parse_lsa.c index ac0242b113..3c9c02a23a 100644 --- a/source3/rpc_parse/parse_lsa.c +++ b/source3/rpc_parse/parse_lsa.c @@ -2356,3 +2356,64 @@ BOOL lsa_io_r_add_acct_rights(const char *desc, LSA_R_ADD_ACCT_RIGHTS *r_c, prs_ return True; } + + +/******************************************************************* + Inits an LSA_Q_REMOVE_ACCT_RIGHTS structure. +********************************************************************/ +void init_q_remove_acct_rights(LSA_Q_REMOVE_ACCT_RIGHTS *q_q, + POLICY_HND *hnd, + DOM_SID *sid, + uint32 removeall, + uint32 count, + const char **rights) +{ + DEBUG(5, ("init_q_remove_acct_rights\n")); + + q_q->pol = *hnd; + init_dom_sid2(&q_q->sid, sid); + q_q->removeall = removeall; + init_unistr2_array(&q_q->rights, count, rights); + q_q->count = 5; +} + + +/******************************************************************* +reads or writes a LSA_Q_REMOVE_ACCT_RIGHTS structure. +********************************************************************/ +BOOL lsa_io_q_remove_acct_rights(const char *desc, LSA_Q_REMOVE_ACCT_RIGHTS *q_q, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "lsa_io_q_remove_acct_rights"); + depth++; + + if (!smb_io_pol_hnd("", &q_q->pol, ps, depth)) + return False; + + if(!smb_io_dom_sid2("sid", &q_q->sid, ps, depth)) + return False; + + if(!prs_uint32("removeall", ps, depth, &q_q->removeall)) + return False; + + if(!prs_uint32("count", ps, depth, &q_q->rights.count)) + return False; + + if(!smb_io_unistr2_array("rights", &q_q->rights, ps, depth)) + return False; + + return True; +} + +/******************************************************************* +reads or writes a LSA_R_ENUM_ACCT_RIGHTS structure. +********************************************************************/ +BOOL lsa_io_r_remove_acct_rights(const char *desc, LSA_R_REMOVE_ACCT_RIGHTS *r_c, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "lsa_io_r_remove_acct_rights"); + depth++; + + if(!prs_ntstatus("status", ps, depth, &r_c->status)) + return False; + + return True; +} diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index 991e56fece..8afeb8e83b 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -578,6 +578,44 @@ static NTSTATUS cmd_lsa_add_acct_rights(struct cli_state *cli, } +/* remove some privileges to a SID via LsaRemoveAccountRights */ + +static NTSTATUS cmd_lsa_remove_acct_rights(struct cli_state *cli, + TALLOC_CTX *mem_ctx, int argc, + const char **argv) +{ + POLICY_HND dom_pol; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + + DOM_SID sid; + + if (argc < 3 ) { + printf("Usage: %s SID [rights...]\n", argv[0]); + return NT_STATUS_OK; + } + + result = name_to_sid(cli, mem_ctx, &sid, argv[1]); + if (!NT_STATUS_IS_OK(result)) + goto done; + + result = cli_lsa_open_policy2(cli, mem_ctx, True, + SEC_RIGHTS_MAXIMUM_ALLOWED, + &dom_pol); + + if (!NT_STATUS_IS_OK(result)) + goto done; + + result = cli_lsa_remove_account_rights(cli, mem_ctx, &dom_pol, sid, + False, argc-2, argv+2); + + if (!NT_STATUS_IS_OK(result)) + goto done; + + done: + return result; +} + + /* Get a privilege value given its name */ static NTSTATUS cmd_lsa_lookupprivvalue(struct cli_state *cli, @@ -665,7 +703,8 @@ struct cmd_set lsarpc_commands[] = { { "lsaenumsid", cmd_lsa_enum_sids, PI_LSARPC, "Enumerate the LSA SIDS", "" }, { "lsaenumprivsaccount", cmd_lsa_enum_privsaccounts, PI_LSARPC, "Enumerate the privileges of an SID", "" }, { "lsaenumacctrights", cmd_lsa_enum_acct_rights, PI_LSARPC, "Enumerate the rights of an SID", "" }, - { "lsaaddacctrights", cmd_lsa_add_acct_rights, PI_LSARPC, "Add rights to an account", "" }, + { "lsaaddacctrights", cmd_lsa_add_acct_rights, PI_LSARPC, "Add rights to an account", "" }, + { "lsaremoveacctrights", cmd_lsa_remove_acct_rights, PI_LSARPC, "Remove rights from an account", "" }, { "lsalookupprivvalue", cmd_lsa_lookupprivvalue, PI_LSARPC, "Get a privilege value given its name", "" }, { "lsaquerysecobj", cmd_lsa_query_secobj, PI_LSARPC, "Query LSA security object", "" }, |