/* Lookup groups a user is a member of. I wish Unix had a call like this! */ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, uint32 *num_groups, DOM_SID **user_gids) { NTSTATUS result; DOM_SID *groups = NULL; gid_t *gids = NULL; size_t ngroups = 0; struct samu *user; if ( (user = samu_new(mem_ctx)) == NULL ) { return NT_STATUS_NO_MEMORY; } if ( !pdb_getsampwsid( user, user_sid ) ) { return NT_STATUS_NO_SUCH_USER; } result = pdb_enum_group_memberships( mem_ctx, user, &groups, &gids, &ngroups ); TALLOC_FREE( user ); *num_groups = (uint32)ngroups; *user_gids = groups; return result; }
/********************************************************* Fix a list of Users for uninitialised passwords **********************************************************/ static int fix_users_list(void) { struct pdb_search *u_search; struct samr_displayentry userentry; struct samu *sam_pwent; TALLOC_CTX *tosctx; struct dom_sid user_sid; NTSTATUS status; bool bret; int ret; tosctx = talloc_tos(); if (!tosctx) { fprintf(stderr, "Out of memory!\n"); return 1; } u_search = pdb_search_users(tosctx, 0); if (!u_search) { fprintf(stderr, "User Search failed!\n"); ret = 1; goto done; } while (u_search->next_entry(u_search, &userentry)) { sam_pwent = samu_new(tosctx); if (sam_pwent == NULL) { fprintf(stderr, "Out of memory!\n"); ret = 1; goto done; } sid_compose(&user_sid, get_global_sam_sid(), userentry.rid); bret = pdb_getsampwsid(sam_pwent, &user_sid); if (!bret) { DEBUG(2, ("getsampwsid failed\n")); TALLOC_FREE(sam_pwent); continue; } status = pdb_update_sam_account(sam_pwent); if (!NT_STATUS_IS_OK(status)) { printf("Update of user %s failed!\n", pdb_get_username(sam_pwent)); } TALLOC_FREE(sam_pwent); } ret = 0; done: TALLOC_FREE(tosctx); return ret; }
/********************************************************* List Users **********************************************************/ static int print_users_list(bool verbosity, bool smbpwdstyle) { struct pdb_search *u_search; struct samr_displayentry userentry; struct samu *sam_pwent; TALLOC_CTX *tosctx; struct dom_sid user_sid; bool bret; int ret; tosctx = talloc_tos(); if (!tosctx) { DEBUG(0, ("talloc failed\n")); return 1; } u_search = pdb_search_users(tosctx, 0); if (!u_search) { DEBUG(0, ("User Search failed!\n")); ret = 1; goto done; } while (u_search->next_entry(u_search, &userentry)) { sam_pwent = samu_new(tosctx); if (sam_pwent == NULL) { DEBUG(0, ("talloc failed\n")); ret = 1; goto done; } sid_compose(&user_sid, get_global_sam_sid(), userentry.rid); bret = pdb_getsampwsid(sam_pwent, &user_sid); if (!bret) { DEBUG(2, ("getsampwsid failed\n")); TALLOC_FREE(sam_pwent); continue; } if (verbosity) { printf ("---------------\n"); } print_sam_info(sam_pwent, verbosity, smbpwdstyle); TALLOC_FREE(sam_pwent); } ret = 0; done: TALLOC_FREE(tosctx); return ret; }
/******************************************************************* gets a domain user's groups ********************************************************************/ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, uint32 **prids, DOM_SID *q_sid) { SAM_ACCOUNT *sam_pass=NULL; int i, cur_rid=0; gid_t gid; gid_t *groups = NULL; int num_groups; GROUP_MAP map; DOM_SID tmp_sid; fstring user_name; fstring str_domsid, str_qsid; uint32 rid,grid; uint32 *rids=NULL, *new_rids=NULL; gid_t winbind_gid_low, winbind_gid_high; BOOL ret; BOOL winbind_groups_exist; /* * this code is far from perfect. * first it enumerates the full /etc/group and that can be slow. * second, it works only with users' SIDs * whereas the day we support nested groups, it will have to * support both users's SIDs and domain groups' SIDs * * having our own ldap backend would be so much faster ! * we're far from that, but hope one day ;-) JFM. */ *prids=NULL; *numgroups=0; winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high); DEBUG(10,("get_alias_user_groups: looking if SID %s is a member of groups in the SID domain %s\n", sid_to_string(str_qsid, q_sid), sid_to_string(str_domsid, sid))); pdb_init_sam(&sam_pass); become_root(); ret = pdb_getsampwsid(sam_pass, q_sid); unbecome_root(); if (ret == False) { pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } fstrcpy(user_name, pdb_get_username(sam_pass)); grid=pdb_get_group_rid(sam_pass); if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sam_pass), &gid))) { /* this should never happen */ DEBUG(2,("get_alias_user_groups: sid_to_gid failed!\n")); pdb_free_sam(&sam_pass); return NT_STATUS_UNSUCCESSFUL; } become_root(); /* on some systems this must run as root */ num_groups = getgroups_user(user_name, &groups); unbecome_root(); if (num_groups == -1) { /* this should never happen */ DEBUG(2,("get_alias_user_groups: getgroups_user failed\n")); pdb_free_sam(&sam_pass); return NT_STATUS_UNSUCCESSFUL; } for (i=0;i<num_groups;i++) { if (!get_group_from_gid(groups[i], &map)) { DEBUG(10,("get_alias_user_groups: gid %d. not found\n", (int)groups[i])); continue; } /* if it's not an alias, continue */ if (map.sid_name_use != SID_NAME_ALIAS) { DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name)); continue; } sid_copy(&tmp_sid, &map.sid); sid_split_rid(&tmp_sid, &rid); /* if the sid is not in the correct domain, continue */ if (!sid_equal(&tmp_sid, sid)) { DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name)); continue; } /* Don't return winbind groups as they are not local! */ if (winbind_groups_exist && (groups[i] >= winbind_gid_low) && (groups[i] <= winbind_gid_high)) { DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name)); continue; } /* Don't return user private groups... */ if (Get_Pwnam(map.nt_name) != 0) { DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name)); continue; } new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1)); if (new_rids==NULL) { DEBUG(10,("get_alias_user_groups: could not realloc memory\n")); pdb_free_sam(&sam_pass); free(groups); return NT_STATUS_NO_MEMORY; } rids=new_rids; sid_peek_rid(&map.sid, &(rids[cur_rid])); cur_rid++; break; } if(num_groups) free(groups); /* now check for the user's gid (the primary group rid) */ for (i=0; i<cur_rid && grid!=rids[i]; i++) ; /* the user's gid is already there */ if (i!=cur_rid) { DEBUG(10,("get_alias_user_groups: user is already in the list. good.\n")); goto done; } DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)gid, user_name)); if(!get_group_from_gid(gid, &map)) { DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your " "/etc/passwd and /etc/group files\n", user_name)); goto done; } /* the primary group isn't an alias */ if (map.sid_name_use!=SID_NAME_ALIAS) { DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name)); goto done; } sid_copy(&tmp_sid, &map.sid); sid_split_rid(&tmp_sid, &rid); /* if the sid is not in the correct domain, continue */ if (!sid_equal(&tmp_sid, sid)) { DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name)); goto done; } /* Don't return winbind groups as they are not local! */ if (winbind_groups_exist && (gid >= winbind_gid_low) && (gid <= winbind_gid_high)) { DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name )); goto done; } /* Don't return user private groups... */ if (Get_Pwnam(map.nt_name) != 0) { DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name )); goto done; } new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1)); if (new_rids==NULL) { DEBUG(10,("get_alias_user_groups: could not realloc memory\n")); pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; } rids=new_rids; sid_peek_rid(&map.sid, &(rids[cur_rid])); cur_rid++; done: *prids=rids; *numgroups=cur_rid; pdb_free_sam(&sam_pass); return NT_STATUS_OK; }