/*
Unix SMB/CIFS implementation.
RPC pipe client
Copyright (C) Tim Potter 2000-2001,
Copyright (C) Andrew Tridgell 1992-1997,2000,
Copyright (C) Rafal Szczesniak 2002
Copyright (C) Jeremy Allison 2005.
Copyright (C) Michael Adam 2007.
Copyright (C) Guenther Deschner 2008.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see .
*/
#include "includes.h"
/** @defgroup lsa LSA - Local Security Architecture
* @ingroup rpc_client
*
* @{
**/
/**
* @file cli_lsarpc.c
*
* RPC client routines for the LSA RPC pipe. LSA means "local
* security authority", which is half of a password database.
**/
/** Open a LSA policy handle
*
* @param cli Handle on an initialised SMB connection */
NTSTATUS rpccli_lsa_open_policy(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
bool sec_qos, uint32 des_access,
POLICY_HND *pol)
{
struct lsa_ObjectAttribute attr;
struct lsa_QosInfo qos;
uint16_t system_name = '\\';
if (sec_qos) {
init_lsa_sec_qos(&qos, 0xc, 2, 1, 0);
init_lsa_obj_attr(&attr,
0x18,
NULL,
NULL,
0,
NULL,
&qos);
} else {
init_lsa_obj_attr(&attr,
0x18,
NULL,
NULL,
0,
NULL,
NULL);
}
return rpccli_lsa_OpenPolicy(cli, mem_ctx,
&system_name,
&attr,
des_access,
pol);
}
/** Open a LSA policy handle
*
* @param cli Handle on an initialised SMB connection
*/
NTSTATUS rpccli_lsa_open_policy2(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, bool sec_qos,
uint32 des_access, POLICY_HND *pol)
{
struct lsa_ObjectAttribute attr;
struct lsa_QosInfo qos;
if (sec_qos) {
init_lsa_sec_qos(&qos, 0xc, 2, 1, 0);
init_lsa_obj_attr(&attr,
0x18,
NULL,
NULL,
0,
NULL,
&qos);
} else {
init_lsa_obj_attr(&attr,
0x18,
NULL,
NULL,
0,
NULL,
NULL);
}
return rpccli_lsa_OpenPolicy2(cli, mem_ctx,
cli->cli->srv_name_slash,
&attr,
des_access,
pol);
}
/* Lookup a list of sids
*
* internal version withOUT memory allocation of the target arrays.
* this assumes suffciently sized arrays to store domains, names and types. */
static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
POLICY_HND *pol,
int num_sids,
const DOM_SID *sids,
char **domains,
char **names,
enum lsa_SidType *types)
{
NTSTATUS result = NT_STATUS_OK;
TALLOC_CTX *tmp_ctx = NULL;
int i;
struct lsa_SidArray sid_array;
struct lsa_RefDomainList *ref_domains = NULL;
struct lsa_TransNameArray lsa_names;
uint32_t count = 0;
uint16_t level = 1;
ZERO_STRUCT(lsa_names);
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
DEBUG(0, ("rpccli_lsa_lookup_sids_noalloc: out of memory!\n"));
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
sid_array.num_sids = num_sids;
sid_array.sids = TALLOC_ARRAY(mem_ctx, struct lsa_SidPtr, num_sids);
if (!sid_array.sids) {
return NT_STATUS_NO_MEMORY;
}
for (i = 0; idomains[dom_idx].name.string;
name = lsa_names.names[i].name.string;
if (name) {
(names)[i] = talloc_strdup(mem_ctx, name);
if ((names)[i] == NULL) {
DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
} else {
(names)[i] = NULL;
}
(domains)[i] = talloc_strdup(mem_ctx, dom_name);
(types)[i] = lsa_names.names[i].sid_type;
if (((domains)[i] == NULL)) {
DEBUG(0, ("cli_lsa_lookup_sids_noalloc(): out of memory\n"));
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
} else {
(names)[i] = NULL;
(domains)[i] = NULL;
(types)[i] = SID_NAME_UNKNOWN;
}
}
done:
TALLOC_FREE(tmp_ctx);
return result;
}
/* Lookup a list of sids
*
* do it the right way: there is a limit (of 20480 for w2k3) entries
* returned by this call. when the sids list contains more entries,
* empty lists are returned. This version of lsa_lookup_sids passes
* the list of sids in hunks of LOOKUP_SIDS_HUNK_SIZE to the lsa call. */
/* This constant defines the limit of how many sids to look up
* in one call (maximum). the limit from the server side is
* at 20480 for win2k3, but we keep it at a save 1000 for now. */
#define LOOKUP_SIDS_HUNK_SIZE 1000
NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
POLICY_HND *pol,
int num_sids,
const DOM_SID *sids,
char ***pdomains,
char ***pnames,
enum lsa_SidType **ptypes)
{
NTSTATUS result = NT_STATUS_OK;
int sids_left = 0;
int sids_processed = 0;
const DOM_SID *hunk_sids = sids;
char **hunk_domains;
char **hunk_names;
enum lsa_SidType *hunk_types;
char **domains = NULL;
char **names = NULL;
enum lsa_SidType *types = NULL;
if (num_sids) {
if (!(domains = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
result = NT_STATUS_NO_MEMORY;
goto fail;
}
if (!(names = TALLOC_ARRAY(mem_ctx, char *, num_sids))) {
DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
result = NT_STATUS_NO_MEMORY;
goto fail;
}
if (!(types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_sids))) {
DEBUG(0, ("rpccli_lsa_lookup_sids(): out of memory\n"));
result = NT_STATUS_NO_MEMORY;
goto fail;
}
}
sids_left = num_sids;
hunk_domains = domains;
hunk_names = names;
hunk_types = types;
while (sids_left > 0) {
int hunk_num_sids;
NTSTATUS hunk_result = NT_STATUS_OK;
hunk_num_sids = ((sids_left > LOOKUP_SIDS_HUNK_SIZE)
? LOOKUP_SIDS_HUNK_SIZE
: sids_left);
DEBUG(10, ("rpccli_lsa_lookup_sids: processing items "
"%d -- %d of %d.\n",
sids_processed,
sids_processed + hunk_num_sids - 1,
num_sids));
hunk_result = rpccli_lsa_lookup_sids_noalloc(cli,
mem_ctx,
pol,
hunk_num_sids,
hunk_sids,
hunk_domains,
hunk_names,
hunk_types);
if (!NT_STATUS_IS_OK(hunk_result) &&
!NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) &&
!NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED))
{
/* An actual error occured */
result = hunk_result;
goto fail;
}
/* adapt overall result */
if (( NT_STATUS_IS_OK(result) &&
!NT_STATUS_IS_OK(hunk_result))
||
( NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) &&
!NT_STATUS_EQUAL(hunk_result, NT_STATUS_NONE_MAPPED)))
{
result = STATUS_SOME_UNMAPPED;
}
sids_left -= hunk_num_sids;
sids_processed += hunk_num_sids; /* only used in DEBUG */
hunk_sids += hunk_num_sids;
hunk_domains += hunk_num_sids;
hunk_names += hunk_num_sids;
hunk_types += hunk_num_sids;
}
*pdomains = domains;
*pnames = names;
*ptypes = types;
return result;
fail:
TALLOC_FREE(domains);
TALLOC_FREE(names);
TALLOC_FREE(types);
return result;
}
/** Lookup a list of names */
NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
POLICY_HND *pol, int num_names,
const char **names,
const char ***dom_names,
int level,
DOM_SID **sids,
enum lsa_SidType **types)
{
NTSTATUS result;
int i;
struct lsa_String *lsa_names = NULL;
struct lsa_RefDomainList *domains = NULL;
struct lsa_TransSidArray sid_array;
uint32_t count = 0;
ZERO_STRUCT(sid_array);
lsa_names = TALLOC_ARRAY(mem_ctx, struct lsa_String, num_names);
if (!lsa_names) {
return NT_STATUS_NO_MEMORY;
}
for (i=0; idomains[dom_idx].sid);
if (dom_rid != 0xffffffff) {
sid_append_rid(sid, dom_rid);
}
(*types)[i] = sid_array.sids[i].sid_type;
if (dom_names == NULL) {
continue;
}
(*dom_names)[i] = domains->domains[dom_idx].name.string;
}
done:
return result;
}
#if 0
/** An example of how to use the routines in this file. Fetch a DOMAIN
sid. Does complete cli setup / teardown anonymously. */
bool fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid)
{
struct cli_state cli;
NTSTATUS result;
POLICY_HND lsa_pol;
bool ret = False;
ZERO_STRUCT(cli);
if(cli_initialise(&cli) == False) {
DEBUG(0,("fetch_domain_sid: unable to initialize client connection.\n"));
return False;
}
if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
DEBUG(0,("fetch_domain_sid: Can't resolve address for %s\n", remote_machine));
goto done;
}
if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
DEBUG(0,("fetch_domain_sid: unable to connect to SMB server on \
machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
goto done;
}
if (!attempt_netbios_session_request(&cli, global_myname(), remote_machine, &cli.dest_ip)) {
DEBUG(0,("fetch_domain_sid: machine %s rejected the NetBIOS session request.\n",
remote_machine));
goto done;
}
cli.protocol = PROTOCOL_NT1;
if (!cli_negprot(&cli)) {
DEBUG(0,("fetch_domain_sid: machine %s rejected the negotiate protocol. \
Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
goto done;
}
if (cli.protocol != PROTOCOL_NT1) {
DEBUG(0,("fetch_domain_sid: machine %s didn't negotiate NT protocol.\n",
remote_machine));
goto done;
}
/*
* Do an anonymous session setup.
*/
if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
DEBUG(0,("fetch_domain_sid: machine %s rejected the session setup. \
Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
goto done;
}
if (!(cli.sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
DEBUG(0,("fetch_domain_sid: machine %s isn't in user level security mode\n",
remote_machine));
goto done;
}
if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
DEBUG(0,("fetch_domain_sid: machine %s rejected the tconX on the IPC$ share. \
Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
goto done;
}
/* Fetch domain sid */
if (!cli_nt_session_open(&cli, PI_LSARPC)) {
DEBUG(0, ("fetch_domain_sid: Error connecting to SAM pipe\n"));
goto done;
}
result = cli_lsa_open_policy(&cli, cli.mem_ctx, True, SEC_RIGHTS_QUERY_VALUE, &lsa_pol);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("fetch_domain_sid: Error opening lsa policy handle. %s\n",
nt_errstr(result) ));
goto done;
}
result = cli_lsa_query_info_policy(&cli, cli.mem_ctx, &lsa_pol, 5, domain, psid);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("fetch_domain_sid: Error querying lsa policy handle. %s\n",
nt_errstr(result) ));
goto done;
}
ret = True;
done:
cli_shutdown(&cli);
return ret;
}
#endif