added cli_lsa_enum_account_rights() call. Note that this is in

principal similar to the existing cli_lsa_enum_privsaccount() call,
except that cli_lsa_enum_account_rights() doesn't require a call to
open_account first. There is also the minor matter that
cli_lsa_enum_account_rights() works whereas
cli_lsa_enum_privsaccount() doesn't!

this call can be used to find what privileges an account or group
has. This is a first step towards proper privileges support in Samba.
(This used to be commit 65bac11d716f873dcdbda528313c33634c26a072)

6 files changed, 247 insertions, 0 deletions

diff --git a/source3/include/rpc_lsa.h b/source3/include/rpc_lsa.h
index 39f3e47dc8..a220b3f70d 100644
--- a/source3/include/rpc_lsa.h
+++ b/source3/include/rpc_lsa.h
@@ -515,6 +515,23 @@ typedef struct lsa_r_enum_privs
 	NTSTATUS status;
 } LSA_R_ENUM_PRIVS;
 
+/* LSA_Q_ENUM_ACCOUNTS - LSA enum account rights */
+typedef struct lsa_q_enum_acct_rights
+{
+	POLICY_HND pol; /* policy handle */
+	uint32 count; /* what is this for in the query? */
+	DOM_SID sid;
+} LSA_Q_ENUM_ACCT_RIGHTS;
+
+/* LSA_R_ENUM_ACCOUNTS - LSA enum account rights */
+typedef struct lsa_r_enum_acct_rights
+{
+	uint32 count;
+	UNISTR_ARRAY rights;
+	NTSTATUS status;
+} LSA_R_ENUM_ACCT_RIGHTS;
+
+
 /* LSA_Q_PRIV_GET_DISPNAME - LSA get privilege display name */
 typedef struct lsa_q_priv_get_dispname
 {
diff --git a/source3/include/rpc_misc.h b/source3/include/rpc_misc.h
index e47853c2a2..1b956826eb 100644
--- a/source3/include/rpc_misc.h
+++ b/source3/include/rpc_misc.h
@@ -210,6 +210,22 @@ typedef struct unistr3_info
 
 } UNISTR3;
 
+/* an element in a unicode string array */
+typedef struct
+{
+	uint16 length;
+	uint16 size;
+	uint32 ref_id;
+	UNISTR2 string;
+} UNISTR_ARRAY_EL;
+
+/* an array of unicode strings */
+typedef struct 
+{
+	uint32 ref_id;
+	uint32 count;
+	UNISTR_ARRAY_EL *strings;
+} UNISTR_ARRAY;
 
 /* DOM_RID2 - domain RID structure for ntlsa pipe */
 typedef struct domrid2_info
diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
index 6d1d56ee84..2b65c67f15 100644
--- a/source3/rpc_client/cli_lsarpc.c
+++ b/source3/rpc_client/cli_lsarpc.c
@@ -1150,6 +1150,63 @@ NTSTATUS cli_lsa_query_secobj(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 	return result;
 }
 
+
+/* Enumerate account rights This is similar to enum_privileges but
+   takes a SID directly, avoiding the open_account call.
+*/
+
+NTSTATUS cli_lsa_enum_account_rights(struct cli_state *cli, TALLOC_CTX *mem_ctx,
+				     POLICY_HND *pol, DOM_SID sid,
+				     uint32 *count, char ***privs_name)
+{
+	prs_struct qbuf, rbuf;
+	LSA_Q_ENUM_ACCT_RIGHTS q;
+	LSA_R_ENUM_ACCT_RIGHTS r;
+	NTSTATUS result;
+	int i;
+
+	ZERO_STRUCT(q);
+	ZERO_STRUCT(r);
+
+	/* Initialise parse structures */
+
+	prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
+	prs_init(&rbuf, 0, mem_ctx, UNMARSHALL);
+
+	/* Marshall data and send request */
+	init_q_enum_acct_rights(&q, pol, 2, &sid);
+
+	if (!lsa_io_q_enum_acct_rights("", &q, &qbuf, 0) ||
+	    !rpc_api_pipe_req(cli, LSA_ENUMACCTRIGHTS, &qbuf, &rbuf)) {
+		result = NT_STATUS_UNSUCCESSFUL;
+		goto done;
+	}
+
+	if (!lsa_io_r_enum_acct_rights("", &r, &rbuf, 0)) {
+		result = NT_STATUS_UNSUCCESSFUL;
+		goto done;
+	}
+
+	if (!NT_STATUS_IS_OK(result = r.status)) {
+		goto done;
+	}
+
+	*count = r.count;
+	if (! *count) {
+		goto done;
+	}
+
+	*privs_name = (char **)talloc(mem_ctx, (*count) * sizeof(char **));
+	for (i=0;i<*count;i++) {
+		pull_ucs2_talloc(mem_ctx, &(*privs_name)[i], r.rights.strings[i].string.buffer);
+	}
+
+done:
+
+	return result;
+}
+
+
 #if 0
 
 /** An example of how to use the routines in this file.  Fetch a DOMAIN
diff --git a/source3/rpc_parse/parse_lsa.c b/source3/rpc_parse/parse_lsa.c
index 56398e7cf0..7c9f74da37 100644
--- a/source3/rpc_parse/parse_lsa.c
+++ b/source3/rpc_parse/parse_lsa.c
@@ -2236,3 +2236,63 @@ BOOL lsa_io_r_query_info2(const char *desc, LSA_R_QUERY_INFO2 *r_c,
 
 	return True;
 }
+
+
+/*******************************************************************
+ Inits an LSA_Q_ENUM_ACCT_RIGHTS structure.
+********************************************************************/
+void init_q_enum_acct_rights(LSA_Q_ENUM_ACCT_RIGHTS *q_q, 
+			     POLICY_HND *hnd, 
+			     uint32 count, 
+			     DOM_SID *sid)
+{
+	DEBUG(5, ("init_q_enum_acct_rights\n"));
+
+	q_q->pol = *hnd;
+	q_q->count = count;
+	q_q->sid = *sid;
+}
+
+/*******************************************************************
+reads or writes a LSA_Q_ENUM_ACCT_RIGHTS structure.
+********************************************************************/
+BOOL lsa_io_q_enum_acct_rights(const char *desc, LSA_Q_ENUM_ACCT_RIGHTS *q_q, prs_struct *ps, int depth)
+{
+	if (q_q == NULL)
+		return False;
+
+	prs_debug(ps, depth, desc, "lsa_io_q_enum_acct_rights");
+	depth++;
+
+	if (!smb_io_pol_hnd("", &q_q->pol, ps, depth))
+		return False;
+
+	if(!prs_uint32("count   ", ps, depth, &q_q->count))
+		return False;
+
+	if(!smb_io_dom_sid("sid", &q_q->sid, ps, depth))
+		return False;
+
+	return True;
+}
+
+
+/*******************************************************************
+reads or writes a LSA_R_ENUM_ACCT_RIGHTS structure.
+********************************************************************/
+BOOL lsa_io_r_enum_acct_rights(const char *desc, LSA_R_ENUM_ACCT_RIGHTS *r_c, prs_struct *ps, int depth)
+{
+	prs_debug(ps, depth, desc, "lsa_io_r_enum_acct_rights");
+	depth++;
+
+	if(!prs_uint32("count   ", ps, depth, &r_c->count))
+		return False;
+
+	if(!smb_io_unistr_array("rights", &r_c->rights, ps, depth))
+		return False;
+
+	if(!prs_ntstatus("status", ps, depth, &r_c->status))
+		return False;
+
+	return True;
+}
diff --git a/source3/rpc_parse/parse_misc.c b/source3/rpc_parse/parse_misc.c
index a9157e29b6..9d3bd6f28a 100644
--- a/source3/rpc_parse/parse_misc.c
+++ b/source3/rpc_parse/parse_misc.c
@@ -1042,6 +1042,55 @@ BOOL smb_io_unistr2(const char *desc, UNISTR2 *uni2, uint32 buffer, prs_struct *
 	return True;
 }
 
+
+/*******************************************************************
+ Reads or writes a UNISTR_ARRAY structure.
+********************************************************************/
+BOOL smb_io_unistr_array(const char *desc, UNISTR_ARRAY *array, prs_struct *ps, int depth)
+{
+	int i;
+
+	depth++;
+
+	array->count = 0;
+
+	if(!prs_uint32("ref_id", ps, depth, &array->ref_id))
+		return False;
+
+	if (! array->ref_id) {
+		return True;
+	}
+
+	if(!prs_uint32("count", ps, depth, &array->count))
+		return False;
+
+	if (array->count == 0) {
+		return True;
+	}
+
+	array->strings = talloc_zero(get_talloc_ctx(), array->count * sizeof(array->strings[0]));
+	if (! array->strings) {
+		return False;
+	}
+
+	for (i=0;i<array->count;i++) {
+		if(!prs_uint16("length", ps, depth, &array->strings[i].length))
+			return False;
+		if(!prs_uint16("size", ps, depth, &array->strings[i].size))
+			return False;
+		if(!prs_uint32("ref_id", ps, depth, &array->strings[i].ref_id))
+			return False;
+	}
+
+	for (i=0;i<array->count;i++) {
+		if (! smb_io_unistr2("string", &array->strings[i].string, array->strings[i].ref_id, ps, depth)) 
+			return False;
+	}
+	
+	return True;
+}
+
+
 /*******************************************************************
  Inits a DOM_RID2 structure.
 ********************************************************************/
diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
index 8eb8ce8754..e1c6fe5d3d 100644
--- a/source3/rpcclient/cmd_lsarpc.c
+++ b/source3/rpcclient/cmd_lsarpc.c
@@ -453,6 +453,53 @@ static NTSTATUS cmd_lsa_enum_privsaccounts(struct cli_state *cli,
 	return result;
 }
 
+
+/* Enumerate the privileges of an SID via LsaEnumerateAccountRights */
+
+static NTSTATUS cmd_lsa_enum_acct_rights(struct cli_state *cli, 
+					 TALLOC_CTX *mem_ctx, int argc, 
+					 char **argv) 
+{
+	POLICY_HND dom_pol;
+	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+	uint32 access_desired = 0x000f000f;
+	
+	DOM_SID sid;
+	uint32 count;
+	char **rights;
+
+	int i;
+
+	if (argc != 2 ) {
+		printf("Usage: %s SID\n", argv[0]);
+		return NT_STATUS_OK;
+	}
+
+	string_to_sid(&sid, argv[1]);
+
+	result = cli_lsa_open_policy2(cli, mem_ctx, True, 
+				     SEC_RIGHTS_MAXIMUM_ALLOWED,
+				     &dom_pol);
+
+	if (!NT_STATUS_IS_OK(result))
+		goto done;
+
+	result = cli_lsa_enum_account_rights(cli, mem_ctx, &dom_pol, sid, &count, &rights);
+
+	if (!NT_STATUS_IS_OK(result))
+		goto done;
+
+	printf("found %d privileges for SID %s\n", count, argv[1]);
+
+	for (i = 0; i < count; i++) {
+		printf("\t%s\n", rights[i]);
+	}
+
+ done:
+	return result;
+}
+
+
 /* Get a privilege value given its name */
 
 static NTSTATUS cmd_lsa_lookupprivvalue(struct cli_state *cli, 
@@ -539,6 +586,7 @@ struct cmd_set lsarpc_commands[] = {
 	{ "getdispname",         cmd_lsa_get_dispname,       PI_LSARPC, "Get the privilege name",               "" },
 	{ "lsaenumsid",          cmd_lsa_enum_sids,          PI_LSARPC, "Enumerate the LSA SIDS",               "" },
 	{ "lsaenumprivsaccount", cmd_lsa_enum_privsaccounts, PI_LSARPC, "Enumerate the privileges of an SID",   "" },
+	{ "lsaenumacctrights",   cmd_lsa_enum_acct_rights,   PI_LSARPC, "Enumerate the rights of an SID",   "" },
 	{ "lsalookupprivvalue",  cmd_lsa_lookupprivvalue,    PI_LSARPC, "Get a privilege value given its name", "" },
 	{ "lsaquerysecobj",      cmd_lsa_query_secobj,       PI_LSARPC, "Query LSA security object", "" },