r5912: - Enhance net rpc rights utility

- Make it possible to list users that are given a specific privilege
- Make the lisitng interface a bit more usable by distinguishing
  between "keys" and "names", using user names directly still
  supported for backward compatibility

diff --git a/source/utils/net_rpc_rights.c b/source/utils/net_rpc_rights.c
index 32cb6a4650b7499a79c635cf7283d807929de790..ce95226951d4dec477db297db7fb75c8be7f1687 100644 (file)
--- a/source/utils/net_rpc_rights.c
+++ b/source/utils/net_rpc_rights.c
@@ -133,6 +133,36 @@ static NTSTATUS enum_privileges( TALLOC_CTX *ctx, struct cli_state *cli,
 /********************************************************************
 ********************************************************************/
 
+static NTSTATUS check_privilege_for_user( TALLOC_CTX *ctx, struct cli_state *cli,
+                                          POLICY_HND *pol, DOM_SID *sid, const char *right)
+{
+       NTSTATUS result;
+       uint32 count;
+       char **rights;
+       int i;
+
+       result = cli_lsa_enum_account_rights(cli, ctx, pol, sid, &count, &rights);
+
+       if (!NT_STATUS_IS_OK(result)) {
+               return result;
+       }
+
+       if (count == 0) {
+               return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+       }
+               
+       for (i = 0; i < count; i++) {
+               if (StrCaseCmp(rights[i], right) == 0) {
+                       return NT_STATUS_OK;
+               }
+       }
+
+       return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+}
+
+/********************************************************************
+********************************************************************/
+
 static NTSTATUS enum_privileges_for_user( TALLOC_CTX *ctx, struct cli_state *cli,
                                           POLICY_HND *pol, DOM_SID *sid )
 {
@@ -159,6 +189,52 @@ static NTSTATUS enum_privileges_for_user( TALLOC_CTX *ctx, struct cli_state *cli
 /********************************************************************
 ********************************************************************/
 
+static NTSTATUS enum_accounts_for_privilege(TALLOC_CTX *ctx, struct cli_state *cli,
+                                           POLICY_HND *pol, const char *privilege)
+{
+       NTSTATUS result;
+       uint32 enum_context=0;
+       uint32 pref_max_length=0x1000;
+       DOM_SID *sids;
+       uint32 count=0;
+       int i;
+       fstring name;
+
+       result = cli_lsa_enum_sids(cli, ctx, pol, &enum_context, 
+               pref_max_length, &count, &sids);
+
+       if (!NT_STATUS_IS_OK(result))
+               return result;
+               
+       d_printf("%s:\n", privilege);
+
+       for ( i=0; i<count; i++ ) {
+       
+                  
+               result = check_privilege_for_user( ctx, cli, pol, &sids[i], privilege);
+               
+               if ( ! NT_STATUS_IS_OK(result)) {
+                       if ( ! NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+                               return result;
+                       }
+                       continue;
+               }
+
+               /* try to convert the SID to a name.  Fall back to 
+                  printing the raw SID if necessary */
+               result = sid_to_name( cli, ctx, &sids[i], name );
+               if ( !NT_STATUS_IS_OK (result) )
+                       fstrcpy( name, sid_string_static(&sids[i]) );
+                       
+               d_printf("  %s\n", name);
+       }
+
+       return NT_STATUS_OK;
+}
+
+/********************************************************************
+********************************************************************/
+
 static NTSTATUS enum_privileges_for_accounts( TALLOC_CTX *ctx, struct cli_state *cli,
                                               POLICY_HND *pol )
 {
@@ -215,36 +291,68 @@ static NTSTATUS rpc_rights_list_internal( const DOM_SID *domain_sid, const char
        if ( !NT_STATUS_IS_OK(result) )
                return result;
                
-       switch (argc) {
-       case 0:
-               result = enum_privileges( mem_ctx, cli, &pol );
-               break;
-                       
-       case 1:
-               /* special case to enuemrate all privileged SIDs 
-                  with associated rights */
-               
-               if ( strequal( argv[0], "accounts" ) ) {
-                       result = enum_privileges_for_accounts( mem_ctx, cli, &pol );
-               }
-               else {
+       if (argc == 0) {
+               d_printf("Usage: net rpc rights list [accounts|privileges] [name|SID]\n");
+               result = NT_STATUS_OK;
+               goto done;
+       }
+
+       if (strequal(argv[0], "privileges")) {
+               int i = 1;
 
-                       result = name_to_sid(cli, mem_ctx, &sid, argv[0]);
-                       if (!NT_STATUS_IS_OK(result))
-                               goto done;      
-                       result = enum_privileges_for_user( mem_ctx, cli, &pol, &sid );
+               if (argv[1] == NULL) {
+                       result = enum_privileges( mem_ctx, cli, &pol );
+                       goto done;
                }
-               break;
-                       
-       default:                
-               if ( argc > 1 ) {
-                       d_printf("Usage: net rpc rights list [name|SID]\n");
-                       result = NT_STATUS_OK;
+
+               while (argv[i] != NULL) {
+                       result = enum_accounts_for_privilege(mem_ctx, cli, &pol, argv[i]);
+                       if (!NT_STATUS_IS_OK(result)) {
+                               goto done;
+                       }
+                       i++;
                }
+               goto done;
        }
 
+       /* special case to enuemrate all privileged SIDs 
+          with associated rights */
        
+       if (strequal( argv[0], "accounts")) {
+               int i = 1;
+
+               if (argv[1] == NULL) {
+                       result = enum_privileges_for_accounts(mem_ctx, cli, &pol);
+                       goto done;
+               }
 
+               while (argv[i] != NULL) {
+                       result = name_to_sid(cli, mem_ctx, &sid, argv[i]);
+                       if (!NT_STATUS_IS_OK(result)) {
+                               goto done;
+                       }
+                       result = enum_privileges_for_user(mem_ctx, cli, &pol, &sid);
+                       if (!NT_STATUS_IS_OK(result)) {
+                               goto done;
+                       }
+                       i++;
+               }
+               goto done;
+       }
+
+       /* backward comaptibility: if no keyword provided, treat the key
+          as an account name */
+       if (argc > 1) {
+               d_printf("Usage: net rpc rights list [accounts|privileges] [name|SID]\n");
+               result = NT_STATUS_OK;
+               goto done;
+       }
+
+       result = name_to_sid(cli, mem_ctx, &sid, argv[0]);
+       if (!NT_STATUS_IS_OK(result)) {
+               goto done;
+       }
+       result = enum_privileges_for_user( mem_ctx, cli, &pol, &sid );
 
 done:
        cli_lsa_close(cli, mem_ctx, &pol);