summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJean-François Micouleau <jfm@samba.org>2001-12-02 00:00:21 +0000
committerJean-François Micouleau <jfm@samba.org>2001-12-02 00:00:21 +0000
commitd383b618b4b2a1007568e961627c5a9bf5a38594 (patch)
tree40ab042f2040c9985cfd207009078176c5a1e3c2
parentd78f6366e81913d01e3efac3854aee7e6689b922 (diff)
downloadsamba-d383b618b4b2a1007568e961627c5a9bf5a38594.tar.gz
samba-d383b618b4b2a1007568e961627c5a9bf5a38594.tar.bz2
samba-d383b618b4b2a1007568e961627c5a9bf5a38594.zip
added samr_query_sec_obj. and put back some code to display a security
descriptor. added to samr_lookup_name the choice to select the either the builtin (s-1-5-32) domain or our current domain (s-1-5-21-x-y-z) J.F. (This used to be commit d9d1486165591d9f7dad04f197fa692654a17a59)
-rw-r--r--source3/rpcclient/cmd_samr.c209
1 files changed, 201 insertions, 8 deletions
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index ece2e2a4bd..0b58d0ae4f 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -29,6 +29,128 @@
extern DOM_SID domain_sid;
/****************************************************************************
+convert a security permissions into a string
+****************************************************************************/
+char *get_sec_mask_str(uint32 type)
+{
+ static fstring typestr="";
+ int i;
+
+ typestr[0] = 0;
+
+ if (type & GENERIC_ALL_ACCESS)
+ fstrcat(typestr, "Generic all access ");
+ if (type & GENERIC_EXECUTE_ACCESS)
+ fstrcat(typestr, "Generic execute access ");
+ if (type & GENERIC_WRITE_ACCESS)
+ fstrcat(typestr, "Generic write access ");
+ if (type & GENERIC_READ_ACCESS)
+ fstrcat(typestr, "Generic read access ");
+ if (type & MAXIMUM_ALLOWED_ACCESS)
+ fstrcat(typestr, "MAXIMUM_ALLOWED_ACCESS ");
+ if (type & SYSTEM_SECURITY_ACCESS)
+ fstrcat(typestr, "SYSTEM_SECURITY_ACCESS ");
+ if (type & SYNCHRONIZE_ACCESS)
+ fstrcat(typestr, "SYNCHRONIZE_ACCESS ");
+ if (type & WRITE_OWNER_ACCESS)
+ fstrcat(typestr, "WRITE_OWNER_ACCESS ");
+ if (type & WRITE_DAC_ACCESS)
+ fstrcat(typestr, "WRITE_DAC_ACCESS ");
+ if (type & READ_CONTROL_ACCESS)
+ fstrcat(typestr, "READ_CONTROL_ACCESS ");
+ if (type & DELETE_ACCESS)
+ fstrcat(typestr, "DELETE_ACCESS ");
+
+ printf("Specific bits: 0x%x\n", type&SPECIFIC_RIGHTS_MASK);
+
+ return typestr;
+}
+
+/****************************************************************************
+ display sec_access structure
+ ****************************************************************************/
+void display_sec_access(SEC_ACCESS *info)
+{
+ printf("\t\tPermissions: 0x%x: %s\n", info->mask, get_sec_mask_str(info->mask));
+}
+
+/****************************************************************************
+ display sec_ace structure
+ ****************************************************************************/
+void display_sec_ace(SEC_ACE *ace)
+{
+ fstring sid_str;
+
+ printf("\tACE\n\t\ttype: ");
+ switch (ace->type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED:
+ printf("ACCESS ALLOWED");
+ break;
+ case SEC_ACE_TYPE_ACCESS_DENIED:
+ printf("ACCESS DENIED");
+ break;
+ case SEC_ACE_TYPE_SYSTEM_AUDIT:
+ printf("SYSTEM AUDIT");
+ break;
+ case SEC_ACE_TYPE_SYSTEM_ALARM:
+ printf("SYSTEM ALARM");
+ break;
+ default:
+ printf("????");
+ break;
+ }
+ printf(" (%d) flags: %d\n", ace->type, ace->flags);
+ display_sec_access(&ace->info);
+ sid_to_string(sid_str, &ace->trustee);
+ printf("\t\tSID: %s\n\n", sid_str);
+}
+
+/****************************************************************************
+ display sec_acl structure
+ ****************************************************************************/
+void display_sec_acl(SEC_ACL *sec_acl)
+{
+ int i;
+
+ printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
+ sec_acl->num_aces, sec_acl->revision);
+ printf("\t---\n");
+
+ if (sec_acl->size != 0 && sec_acl->num_aces != 0)
+ for (i = 0; i < sec_acl->num_aces; i++)
+ display_sec_ace(&sec_acl->ace[i]);
+
+}
+
+/****************************************************************************
+ display sec_desc structure
+ ****************************************************************************/
+void display_sec_desc(SEC_DESC *sec)
+{
+ fstring sid_str;
+
+ if (sec->off_sacl != 0) {
+ printf("S-ACL\n");
+ display_sec_acl(sec->sacl);
+ }
+
+ if (sec->off_dacl != 0) {
+ printf("D-ACL\n");
+ display_sec_acl(sec->dacl);
+ }
+
+ if (sec->off_owner_sid != 0) {
+ sid_to_string(sid_str, sec->owner_sid);
+ printf("\tOwner SID:\t%s\n", sid_str);
+ }
+
+ if (sec->off_grp_sid != 0) {
+ sid_to_string(sid_str, sec->grp_sid);
+ printf("\tParent SID:\t%s\n", sid_str);
+ }
+}
+
+/****************************************************************************
display sam_user_info_21 structure
****************************************************************************/
static void display_sam_user_info_21(SAM_USER_INFO_21 *usr)
@@ -784,9 +906,14 @@ static NTSTATUS cmd_samr_lookup_names(struct cli_state *cli,
uint32 num_rids, num_names, *name_types, *rids;
char **names;
int i;
+ DOM_SID global_sid_Builtin;
- if (argc < 2) {
- printf("Usage: %s name1 [name2 [name3] [...]]\n", argv[0]);
+ string_to_sid(&global_sid_Builtin, "S-1-5-32");
+
+ if (argc < 3) {
+ printf("Usage: %s domain|builtin name1 [name2 [name3] [...]]\n", argv[0]);
+ printf("check on the domain SID: S-1-5-21-x-y-z\n");
+ printf("or check on the builtin SID: S-1-5-32\n");
return NT_STATUS_OK;
}
@@ -799,9 +926,16 @@ static NTSTATUS cmd_samr_lookup_names(struct cli_state *cli,
goto done;
}
- result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
- MAXIMUM_ALLOWED_ACCESS,
- &domain_sid, &domain_pol);
+ if (StrCaseCmp(argv[1], "domain")==0)
+ result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
+ MAXIMUM_ALLOWED_ACCESS,
+ &domain_sid, &domain_pol);
+ else if (StrCaseCmp(argv[1], "builtin")==0)
+ result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
+ MAXIMUM_ALLOWED_ACCESS,
+ &global_sid_Builtin, &domain_pol);
+ else
+ return NT_STATUS_OK;
if (!NT_STATUS_IS_OK(result)) {
goto done;
@@ -809,11 +943,11 @@ static NTSTATUS cmd_samr_lookup_names(struct cli_state *cli,
/* Look up names */
- num_names = argc - 1;
+ num_names = argc - 2;
names = (char **)talloc(mem_ctx, sizeof(char *) * num_names);
- for (i = 0; i < argc - 1; i++)
- names[i] = argv[i + 1];
+ for (i = 0; i < argc - 2; i++)
+ names[i] = argv[i + 2];
result = cli_samr_lookup_names(cli, mem_ctx, &domain_pol,
flags, num_names, names,
@@ -962,6 +1096,64 @@ static NTSTATUS cmd_samr_delete_dom_user(struct cli_state *cli,
return result;
}
+/**********************************************************************
+ * Query user security object
+ */
+static NTSTATUS cmd_samr_query_sec_obj(struct cli_state *cli,
+ TALLOC_CTX *mem_ctx,
+ int argc, char **argv)
+{
+ POLICY_HND connect_pol, domain_pol, user_pol;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ uint32 info_level = 4;
+ fstring server;
+ uint32 user_rid;
+ TALLOC_CTX *ctx = NULL;
+ SEC_DESC_BUF *sec_desc_buf=NULL;
+
+ ctx=talloc_init();
+
+ if (argc != 2) {
+ printf("Usage: %s rid\n", argv[0]);
+ return NT_STATUS_OK;
+ }
+
+ sscanf(argv[1], "%i", &user_rid);
+
+ slprintf (server, sizeof(fstring)-1, "\\\\%s", cli->desthost);
+ strupper (server);
+ result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS,
+ &connect_pol);
+
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ result = cli_samr_open_domain(cli, mem_ctx, &connect_pol,
+ MAXIMUM_ALLOWED_ACCESS,
+ &domain_sid, &domain_pol);
+
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ result = cli_samr_open_user(cli, mem_ctx, &domain_pol,
+ MAXIMUM_ALLOWED_ACCESS,
+ user_rid, &user_pol);
+
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ result = cli_samr_query_sec_obj(cli, mem_ctx, &user_pol, info_level, ctx, &sec_desc_buf);
+
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+ display_sec_desc(sec_desc_buf->sec);
+
+done:
+ talloc_destroy(ctx);
+ return result;
+}
+
/* List of commands exported by this module */
struct cmd_set samr_commands[] = {
@@ -981,6 +1173,7 @@ struct cmd_set samr_commands[] = {
{ "samlookupnames", cmd_samr_lookup_names, PIPE_SAMR, "Look up names", "" },
{ "samlookuprids", cmd_samr_lookup_rids, PIPE_SAMR, "Look up names", "" },
{ "deletedomuser", cmd_samr_delete_dom_user, PIPE_SAMR, "Delete domain user", "" },
+ { "querysecobj", cmd_samr_query_sec_obj, PIPE_SAMR, "Query security object", "" },
{ NULL }
};