[Samba] Lookup sid with libsmbclient (invoked from c# on mono)
Aurélien Aptel
aaptel at suse.com
Tue Oct 13 10:23:52 UTC 2020
Vincent Le Toux <vincent.letoux at gmail.com> writes:
> Typical example:
> Here is some search & export for libsmbclient:
> adiant at ubuntu:/usr/lib/x86_64-linux-gnu$ nm -D libsmbclient.so.0 |grep
> cli_rpc_pipe_open_noauth_transport
> <nothing>
> adiant at ubuntu:/usr/lib/x86_64-linux-gnu$ nm -D libsmbclient.so.0 |grep
> cli_rpc_pipe_open
> U cli_rpc_pipe_open_noauth
> adiant at ubuntu:/usr/lib/x86_64-linux-gnu$ nm -D libsmbclient.so.0 |grep lsa
> U ndr_table_lsarpc
> U rpccli_lsa_lookup_names
> U rpccli_lsa_lookup_sids
> U rpccli_lsa_open_policy
>
> So I need to call rpccli_lsa_open_policy you need struct
> rpc_pipe_client *lsa_pipe
> (ex:
> https://gitlab.com/samba-team/devel/samba/-/blob/master/source3/lib/netapi/localgroup.c
> )
> This structure is transformed from struct cli_state *cli, into struct
> rpc_pipe_client *rpccli; you may call cli_rpc_pipe_open_noauth_transport
> to do that (
> https://gitlab.com/samba-team/devel/samba/-/blob/master/examples/winexe/winexe.c#L458
> )
> cli_rpc_pipe_open_noauth_transport is not exported.
It is exported but you're not looking at the right shared lib. You can
use ldd(1) to list all the libs rpcclient is linked against.
$ ldd /usr/bin/rpcclient | perl -nE 'if(m{(/\S+)} && -f $1){system "nm -o -D --defined-only $1";}' | grep rpc_pipe_open
/usr/lib64/samba/libmsrpc3-samba4.so:0000000000010dd0 T cli_rpc_pipe_open_bind_schannel
/usr/lib64/samba/libmsrpc3-samba4.so:000000000000d5d0 T cli_rpc_pipe_open_generic_auth
/usr/lib64/samba/libmsrpc3-samba4.so:000000000000d3b0 T cli_rpc_pipe_open_noauth
/usr/lib64/samba/libmsrpc3-samba4.so:000000000000d150 T cli_rpc_pipe_open_noauth_transport
/usr/lib64/samba/libmsrpc3-samba4.so:0000000000013920 T cli_rpc_pipe_open_schannel_with_creds
/usr/lib64/samba/libmsrpc3-samba4.so:000000000000d3c0 T cli_rpc_pipe_open_with_creds
/usr/lib64/samba/libmsrpc3-samba4.so:000000000000c230 T rpc_pipe_open_ncalrpc
/usr/lib64/samba/libmsrpc3-samba4.so:000000000000cb80 T rpc_pipe_open_tcp
> maybe i should use cli_rpc_pipe_open_noauth which is closed, but exported.
>
> Also another example. Sometimes the cli api is called, sometimes the dcerpc
> one.
> Typical example here:
> https://gitlab.com/samba-team/devel/samba/-/blob/master/source3/lib/netapi/localgroup.c#L1028-1045
>
> Do you understand my problem ?
> I have to explore all the possible ways to build that call stack by
> starting from the end.
> That's why I'm asking if there is an easier way to proceed.
As I said earlier, the easiest way is to build this wrapper lib in C by
copying code from rpcclient, and then calling the wrapper from C#. I
don't think there's a lib that only does lookup thru a simple function.
You can also try to use ltrace(1) to trace all calls to external symbols
rpcclient is making while calling the lookup command. That should make
the job easier if you don't want to copy the rpcclient code:
$ ltrace -fo out rpcclient -U administrator%mypassword -c 'lookupnames user1' //192.168.2.110
user1 S-1-5-21-596735176-1287999152-3436313279-1104 (User: 1)
$ grep -v -e ' malloc(' -e ' strequal(' -e 'rep_memset_' out
20582 _talloc_stackframe(0x5559133fbee8, 0x7ffff4a0f998, 0x7ffff4a0f9d0, 32) = 0x55591472dbf0
20582 smb_init_locale(0x7ffff4a0f860, 0x55591347b1a0, 0x55591472db80, 0) = 0x555914732c30
20582 zero_sockaddr(0x7ffff4a0f660, 0x7f3e4c71b46c, 1, 0) = 2
20582 setlinebuf(0x7f3e4dc36500) = <void>
20582 setup_logging(0x555913401189, 3, 0, 0) = 1
20582 lp_set_cmdline(0x5559133fc8b3, 0x5559134010c4, 0x7f3e4e0da668, 0x746e65696c636370) = 1
20582 poptGetContext(0x555913401189, 6, 0x7ffff4a0f998, 0x7ffff4a0f6e0) = 0x55591473b310
20582 poptSetOtherOptionHelp(0x55591473b310, 0x5559133fd270, 0x7f3e4d985b11, 0) = 0x5559147328d0
20582 poptGetNextOpt(0x55591473b310, 0x5559133fd270, 30, 17) = 99
20582 poptGetNextOpt(0x55591473b310, 0x55591473bae0, 17, 0) = 0xffffffff
20582 poptGetArg(0x55591473b310, 0x55591474a120, 0x5559146fd010, 0) = 0x7ffff4a1108b
20582 poptGetArg(0x55591473b310, 0x55591474a120, 0, 1) = 0
20582 poptFreeContext(0x55591473b310, 0x55591474a120, 1, 1) = 0
20582 popt_burn_cmdline_password(6, 0x7ffff4a0f998, 0x5559146fd010, 2) = 1
20582 get_dyn_CONFIGFILE(0x7f3e4e991197, 0x7ffff4a1108c, 10, 5) = 0x7f3e4e8a8053
20582 cmdline_messaging_context(0x7f3e4e8a8053, 0x7ffff4a1108c, 10, 5) = 0
20582 init_names(0, 0x7ffff4a0f4b0, 0x555914739fd0, 0x7f3e4db425d7) = 1
20582 dcerpc_parse_binding(0x55591472dbf0, 0x7ffff4a1108d, 0x7ffff4a0f650, 1) = 0
20582 dcerpc_binding_get_transport(0x555914732f30, 0x55591474a120, 0x5559146fd010, 1) = 0
20582 dcerpc_binding_set_transport(0x555914732f30, 1, 0x5559146fd010, 1) = 0
20582 dcerpc_binding_get_string_option(0x555914732f30, 0x5559133fd2b5, 0, 0x1000100) = 0x55591474bab0
20582 dcerpc_binding_get_flags(0x555914732f30, 0x5559133fd2b5, 0, 0xeffffbf0) = 0
20582 popt_get_cmdline_auth_info(0x555914732f30, 0x5559133fd2b5, 0, 0) = 0x55591473b880
20582 get_cmdline_auth_info_signing_state(0x55591473b880, 0x5559133fd2b5, 0, 0) = 0xffffffff
20582 popt_get_cmdline_auth_info(0x55591473b880, 0x5559133fd2b5, 0, 0) = 0x55591473b880
20582 get_cmdline_auth_info_use_kerberos(0x55591473b880, 0x5559133fd2b5, 0, 0) = 0
20582 popt_get_cmdline_auth_info(0x5559146fd300, 0x5559133fd2b5, 0, 0) = 0x55591473b880
20582 get_cmdline_auth_info_use_ccache(0x55591473b880, 0x5559133fd2b5, 0, 0) = 0
20582 popt_get_cmdline_auth_info(0x5559146fd300, 0x5559133fd2b5, 0, 0) = 0x55591473b880
20582 get_cmdline_auth_info_use_pw_nt_hash(0x55591473b880, 0x5559133fd2b5, 0, 0) = 0
20582 popt_get_cmdline_auth_info(0x55591473b880, 0x5559133fd2b5, 0, 0) = 0x55591473b880
20582 get_cmdline_auth_info_domain(0x55591473b880, 0x5559133fd2b5, 0, 0) = 0x555914746fa0
20582 popt_get_cmdline_auth_info(0x5559146fd300, 0x5559133fd2b5, 0x7f3e4e14d197, 0) = 0x55591473b880
20582 get_cmdline_auth_info_password(0x55591473b880, 0x5559133fd2b5, 0x7f3e4e14d197, 0) = 0x55591473bbe0
20582 popt_get_cmdline_auth_info(0x5559146fd300, 0x5559133fd2b5, 0x7f3e4e14d197, 0) = 0x55591473b880
20582 get_cmdline_auth_info_domain(0x55591473b880, 0x5559133fd2b5, 0x7f3e4e14d197, 0) = 0x555914746fa0
20582 popt_get_cmdline_auth_info(0x5559146fd300, 0x5559133fd2b5, 0x7f3e4e14d197, 0) = 0x55591473b880
20582 get_cmdline_auth_info_username(0x55591473b880, 0x5559133fd2b5, 0x7f3e4e14d197, 0) = 0x55591474b660
20582 lp_netbios_name(0x5559146fd300, 0x5559133fd2b5, 0x7f3e4e14d197, 0) = 0x55591473c210
20582 cli_full_connection(0x7ffff4a0f658, 0x55591473c210, 0x55591474bab0, 0) = 0
20582 popt_get_cmdline_auth_info(7, 0x55591473b670, 0x55591474bb40, 0) = 0x55591473b880
20582 get_cmdline_auth_info_smb_encrypt(0x55591473b880, 0x55591473b670, 0x55591474bb40, 0) = 0
20582 cli_set_timeout(0x555914735d40, 10000, 0x55591474bb40, 0) = 0x4e20
20582 dcerpc_binding_get_transport(0x555914732f30, 0, 0x55591474b520, 0) = 1
20582 strchr_m(0x55591473bcc0, 59, 0x55591474b520, 0) = 0
20582 strdup("lookupnames user1") = 0x555914733450
20582 popt_get_cmdline_auth_info(0x555914733450, 0x55591473bcc0, 18, 48) = 0x55591473b880
20582 poptParseArgvString(0x555914733450, 0x7ffff4a0f5d4, 0x7ffff4a0f5d8, 48) = 0
20582 _talloc_stackframe(0x555913449510, 0, 0, 0) = 0x55591474bc20
20582 cli_rpc_pipe_open_noauth_transport(0x555914735d40, 1, 0x7f3e4e694fe0, 0x55591347f1b0) = 0
20582 rpccli_set_timeout(0x555914734480, 10000, 0, 0) = 10000
20582 rpccli_lsa_open_policy(0x555914734480, 0x55591474bc20, 1, 0x2000000) = 0
20582 rpccli_lsa_lookup_names(0x555914734480, 0x55591474bc20, 0x7ffff4a0f480, 1) = 0
20582 sid_type_lookup(1, 1104, 0, 0x55591475e6c0) = 0x7f3e4eb07305
20582 dom_sid_str_buf(0x555914761c00, 0x7ffff4a0f4a0, 0x7f3e4eb109a0, 1) = 0x7ffff4a0f4a0
20582 __printf_chk(1, 0x5559133fcb55, 0x55591474ac24, 0x7ffff4a0f4a0) = 62
20582 dcerpc_lsa_Close(0x55591474efc0, 0x55591474bc20, 0x7ffff4a0f480, 0x7ffff4a0f46c) = 0
20582 _talloc_free(0x55591474bc20, 0x5559134498a8, 0x5559146fd010, 0) = 0
20582 free(0x55591474ac00) = <void>
20582 free(0x555914733450) = <void>
20582 cli_shutdown(0x555914735d40, 0x555914733450, 0x5559146fd010, 5) = 0
20582 popt_free_cmdline_auth_info(32, 0x555914735ce0, 0x5559146fd010, 3) = 0
20582 netlogon_creds_cli_close_global_db(7, 0, 0x7f3e4dc35a40, 7) = 0
20582 _talloc_free(0x55591472dbf0, 0x5559133fbff0, 0x7f3e4dc35a40, 7) = 0
20582 +++ exited (status 0) +++
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
More information about the samba
mailing list