char *sid_to_fstring(fstring sidstr_out, const DOM_SID *sid)
{
char *str = sid_string_talloc(talloc_tos(), sid);
fstrcpy(sidstr_out, str);
TALLOC_FREE(str);
return sidstr_out;
}
void winbindd_list_trusted_domains(struct winbindd_cli_state *state)
{
struct winbindd_tdc_domain *dom_list = NULL;
struct winbindd_tdc_domain *d = NULL;
size_t num_domains = 0;
int extra_data_len = 0;
char *extra_data = NULL;
int i = 0;
DEBUG(3, ("[%5lu]: list trusted domains\n",
(unsigned long)state->pid));
if( !wcache_tdc_fetch_list( &dom_list, &num_domains )) {
request_error(state);
goto done;
}
extra_data = talloc_strdup(state->mem_ctx, "");
if (extra_data == NULL) {
request_error(state);
goto done;
}
for ( i = 0; i < num_domains; i++ ) {
struct winbindd_domain *domain;
bool is_online = true;
d = &dom_list[i];
domain = find_domain_from_name_noinit(d->domain_name);
if (domain) {
is_online = domain->online;
}
extra_data = talloc_asprintf_append_buffer(
extra_data,
"%s\\%s\\%s\\%s\\%s\\%s\\%s\\%s\n",
d->domain_name,
d->dns_name ? d->dns_name : d->domain_name,
sid_string_talloc(state->mem_ctx, &d->sid),
get_trust_type_string(d),
trust_is_transitive(d) ? "Yes" : "No",
trust_is_inbound(d) ? "Yes" : "No",
trust_is_outbound(d) ? "Yes" : "No",
is_online ? "Online" : "Offline" );
}
extra_data_len = strlen(extra_data);
if (extra_data_len > 0) {
/* Strip the last \n */
extra_data[extra_data_len-1] = '\0';
state->response->extra_data.data = extra_data;
state->response->length += extra_data_len;
}
request_ok(state);
done:
TALLOC_FREE( dom_list );
}
NTSTATUS evlog_evt_entry_to_tdb_entry(TALLOC_CTX *mem_ctx,
const struct EVENTLOGRECORD *e,
struct eventlog_Record_tdb *t)
{
uint32_t i;
ZERO_STRUCTP(t);
t->size = e->Length;
t->reserved = e->Reserved;
t->record_number = e->RecordNumber;
t->time_generated = e->TimeGenerated;
t->time_written = e->TimeWritten;
t->event_id = e->EventID;
t->event_type = e->EventType;
t->num_of_strings = e->NumStrings;
t->event_category = e->EventCategory;
t->reserved_flags = e->ReservedFlags;
t->closing_record_number = e->ClosingRecordNumber;
t->stringoffset = e->StringOffset;
t->sid_length = e->UserSidLength;
t->sid_offset = e->UserSidOffset;
t->data_length = e->DataLength;
t->data_offset = e->DataOffset;
t->source_name_len = 2 * strlen_m_term(e->SourceName);
t->source_name = talloc_strdup(mem_ctx, e->SourceName);
NT_STATUS_HAVE_NO_MEMORY(t->source_name);
t->computer_name_len = 2 * strlen_m_term(e->Computername);
t->computer_name = talloc_strdup(mem_ctx, e->Computername);
NT_STATUS_HAVE_NO_MEMORY(t->computer_name);
/* t->sid_padding; */
if (e->UserSidLength > 0) {
const char *sid_str = NULL;
smb_ucs2_t *dummy = NULL;
sid_str = sid_string_talloc(mem_ctx, &e->UserSid);
t->sid_length = rpcstr_push_talloc(mem_ctx, &dummy, sid_str);
if (t->sid_length == -1) {
return NT_STATUS_NO_MEMORY;
}
t->sid = data_blob_talloc(mem_ctx, (uint8_t *)dummy, t->sid_length);
NT_STATUS_HAVE_NO_MEMORY(t->sid.data);
}
t->strings = talloc_array(mem_ctx, const char *, e->NumStrings);
for (i=0; i < e->NumStrings; i++) {
t->strings[i] = talloc_strdup(t->strings, e->Strings[i]);
NT_STATUS_HAVE_NO_MEMORY(t->strings[i]);
}
t->strings_len = 2 * ndr_size_string_array(t->strings, t->num_of_strings, LIBNDR_FLAG_STR_NULLTERM);
t->data = data_blob_talloc(mem_ctx, e->Data, e->DataLength);
/* t->padding = r->Pad; */
return NT_STATUS_OK;
}
/* display SD */
void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
{
int i;
char *tmp_path = NULL;
if (!sd) {
return;
}
if (ads && !ads->config.schema_path) {
if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
ads->config.schema_path = SMB_STRDUP(tmp_path);
}
}
if (ads && !ads->config.config_path) {
if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
ads->config.config_path = SMB_STRDUP(tmp_path);
}
}
printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
sd->revision,
sd->type);
printf("owner SID: %s\n", sd->owner_sid ?
sid_string_talloc(mem_ctx, sd->owner_sid) : "(null)");
printf("group SID: %s\n", sd->group_sid ?
sid_string_talloc(mem_ctx, sd->group_sid) : "(null)");
ads_disp_acl(sd->sacl, "system");
if (sd->sacl) {
for (i = 0; i < sd->sacl->num_aces; i ++) {
ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
}
}
ads_disp_acl(sd->dacl, "user");
if (sd->dacl) {
for (i = 0; i < sd->dacl->num_aces; i ++) {
ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
}
}
printf("-------------- End Of Security Descriptor\n");
}
static NTSTATUS idmap_tdb_set_mapping(struct idmap_domain *dom,
const struct id_map *map)
{
struct idmap_tdb_context *ctx;
NTSTATUS ret;
char *ksidstr, *kidstr;
struct idmap_tdb_set_mapping_context state;
if (!map || !map->sid) {
return NT_STATUS_INVALID_PARAMETER;
}
ksidstr = kidstr = NULL;
/* TODO: should we filter a set_mapping using low/high filters ? */
ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context);
switch (map->xid.type) {
case ID_TYPE_UID:
kidstr = talloc_asprintf(ctx, "UID %lu",
(unsigned long)map->xid.id);
break;
case ID_TYPE_GID:
kidstr = talloc_asprintf(ctx, "GID %lu",
(unsigned long)map->xid.id);
break;
default:
DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type));
return NT_STATUS_INVALID_PARAMETER;
}
if (kidstr == NULL) {
DEBUG(0, ("ERROR: Out of memory!\n"));
ret = NT_STATUS_NO_MEMORY;
goto done;
}
ksidstr = sid_string_talloc(ctx, map->sid);
if (ksidstr == NULL) {
DEBUG(0, ("Out of memory!\n"));
ret = NT_STATUS_NO_MEMORY;
goto done;
}
state.ksidstr = ksidstr;
state.kidstr = kidstr;
ret = dbwrap_trans_do(ctx->db, idmap_tdb_set_mapping_action, &state);
done:
talloc_free(ksidstr);
talloc_free(kidstr);
return ret;
}
static NTSTATUS idmap_tdb_sid_to_id(struct idmap_domain *dom, struct id_map *map)
{
NTSTATUS ret;
TDB_DATA data;
char *keystr;
unsigned long rec_id = 0;
struct idmap_tdb_context *ctx;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context);
keystr = sid_string_talloc(tmp_ctx, map->sid);
if (keystr == NULL) {
DEBUG(0, ("Out of memory!\n"));
ret = NT_STATUS_NO_MEMORY;
goto done;
}
DEBUG(10,("Fetching record %s\n", keystr));
/* Check if sid is present in database */
ret = dbwrap_fetch_bystring(ctx->db, tmp_ctx, keystr, &data);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(10,("Record %s not found\n", keystr));
ret = NT_STATUS_NONE_MAPPED;
goto done;
}
/* What type of record is this ? */
if (sscanf((const char *)data.dptr, "UID %lu", &rec_id) == 1) { /* Try a UID record. */
map->xid.id = rec_id;
map->xid.type = ID_TYPE_UID;
DEBUG(10,("Found uid record %s -> %s \n", keystr, (const char *)data.dptr ));
ret = NT_STATUS_OK;
} else if (sscanf((const char *)data.dptr, "GID %lu", &rec_id) == 1) { /* Try a GID record. */
map->xid.id = rec_id;
map->xid.type = ID_TYPE_GID;
DEBUG(10,("Found gid record %s -> %s \n", keystr, (const char *)data.dptr ));
ret = NT_STATUS_OK;
} else { /* Unknown record type ! */
DEBUG(2, ("Found INVALID record %s -> %s\n", keystr, (const char *)data.dptr));
ret = NT_STATUS_INTERNAL_DB_ERROR;
goto done;
}
/* apply filters before returning result */
if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
map->xid.id, dom->low_id, dom->high_id));
ret = NT_STATUS_NONE_MAPPED;
}
done:
talloc_free(tmp_ctx);
return ret;
}
static NTSTATUS log_nt_token(struct security_token *token)
{
TALLOC_CTX *frame = talloc_stackframe();
char *command;
char *group_sidstr;
size_t i;
if ((lp_log_nt_token_command() == NULL) ||
(strlen(lp_log_nt_token_command()) == 0)) {
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
group_sidstr = talloc_strdup(frame, "");
for (i=1; i<token->num_sids; i++) {
group_sidstr = talloc_asprintf(
frame, "%s %s", group_sidstr,
sid_string_talloc(frame, &token->sids[i]));
}
command = talloc_string_sub(
frame, lp_log_nt_token_command(),
"%s", sid_string_talloc(frame, &token->sids[0]));
command = talloc_string_sub(frame, command, "%t", group_sidstr);
if (command == NULL) {
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
DEBUG(8, ("running command: [%s]\n", command));
if (smbrun(command, NULL) != 0) {
DEBUG(0, ("Could not log NT token\n"));
TALLOC_FREE(frame);
return NT_STATUS_ACCESS_DENIED;
}
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
static char *group_mapping_key(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
{
char *sidstr, *result;
sidstr = sid_string_talloc(talloc_tos(), sid);
if (sidstr == NULL) {
return NULL;
}
result = talloc_asprintf(mem_ctx, "%s%s", GROUP_PREFIX, sidstr);
TALLOC_FREE(sidstr);
return result;
}
bool idmap_cache_del_sid(const struct dom_sid *sid)
{
TALLOC_CTX* mem_ctx = talloc_stackframe();
const char* sid_str = sid_string_talloc(mem_ctx, sid);
bool ret = true;
if (!idmap_cache_del_sid2xid(mem_ctx, 'U', sid_str) &&
!idmap_cache_del_sid2xid(mem_ctx, 'G', sid_str))
{
DEBUG(3, ("no entry: %s\n", key_xid2sid_str(mem_ctx, '?', sid_str)));
ret = false;
}
talloc_free(mem_ctx);
return ret;
}
static NTSTATUS get_domain_info(TALLOC_CTX *mem_ctx,
struct dcerpc_binding_handle *bind_hdn,
struct policy_handle *pol_hnd,
struct dom_data *dom_data)
{
NTSTATUS status;
struct lsa_QueryInfoPolicy2 qr;
qr.in.handle = pol_hnd;
qr.in.level = LSA_POLICY_INFO_DNS;
status = dcerpc_lsa_QueryInfoPolicy2_r(bind_hdn, mem_ctx, &qr);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("dcerpc_lsa_QueryInfoPolicy2_r failed "
"with error [%s].\n", nt_errstr(status)));
return status;
}
if (!NT_STATUS_IS_OK(qr.out.result)) {
DEBUG(0, ("QueryInfoPolicy2 returned [%s].\n",
nt_errstr(qr.out.result)));
return qr.out.result;
}
dom_data->domain_name = talloc_strdup(mem_ctx,
(*qr.out.info)->dns.name.string);
dom_data->dns_domain_name = talloc_strdup(mem_ctx,
(*qr.out.info)->dns.dns_domain.string);
dom_data->domsid = dom_sid_dup(mem_ctx, (*qr.out.info)->dns.sid);
if (dom_data->domain_name == NULL ||
dom_data->dns_domain_name == NULL ||
dom_data->domsid == NULL) {
DEBUG(0, ("Copying domain data failed.\n"));
return NT_STATUS_NO_MEMORY;
}
DEBUG(0, ("Got the following domain info [%s][%s][%s].\n",
dom_data->domain_name, dom_data->dns_domain_name,
sid_string_talloc(mem_ctx, dom_data->domsid)));
return NT_STATUS_OK;
}
/* display ACE */
static void ads_disp_ace(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_ace *sec_ace)
{
const char *access_type = "UNKNOWN";
if (!sec_ace_object(sec_ace->type)) {
printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
sec_ace->type,
sec_ace->flags,
sec_ace->size,
sec_ace->access_mask);
} else {
printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
sec_ace->type,
sec_ace->flags,
sec_ace->size,
sec_ace->access_mask,
sec_ace->object.object.flags);
}
if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
access_type = "ALLOWED";
} else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
access_type = "DENIED";
} else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
access_type = "SYSTEM AUDIT";
} else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
access_type = "ALLOWED OBJECT";
} else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
access_type = "DENIED OBJECT";
} else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
access_type = "AUDIT OBJECT";
}
printf("access SID: %s\naccess type: %s\n",
sid_string_talloc(mem_ctx, &sec_ace->trustee), access_type);
if (sec_ace_object(sec_ace->type)) {
ads_disp_sec_ace_object(ads, mem_ctx, &sec_ace->object.object);
}
ads_disp_perms(sec_ace->access_mask);
}
static WERROR gp_reg_store_groupmembership(TALLOC_CTX *mem_ctx,
struct gp_registry_context *reg_ctx,
const struct security_token *token,
uint32_t flags)
{
struct registry_key *key = NULL;
WERROR werr;
int i = 0;
const char *valname = NULL;
const char *path = NULL;
const char *val = NULL;
int count = 0;
path = gp_reg_groupmembership_path(mem_ctx, &token->sids[0],
flags);
W_ERROR_HAVE_NO_MEMORY(path);
gp_reg_del_groupmembership(mem_ctx, reg_ctx->curr_key, token, flags);
werr = gp_store_reg_subkey(mem_ctx, path,
reg_ctx->curr_key, &key);
W_ERROR_NOT_OK_RETURN(werr);
for (i=0; i<token->num_sids; i++) {
valname = talloc_asprintf(mem_ctx, "Group%d", count++);
W_ERROR_HAVE_NO_MEMORY(valname);
val = sid_string_talloc(mem_ctx, &token->sids[i]);
W_ERROR_HAVE_NO_MEMORY(val);
werr = gp_store_reg_val_sz(mem_ctx, key, valname, val);
W_ERROR_NOT_OK_RETURN(werr);
}
werr = gp_store_reg_val_dword(mem_ctx, key, "Count", count);
W_ERROR_NOT_OK_RETURN(werr);
return WERR_OK;
}
NTSTATUS libnet_samsync_init_context(TALLOC_CTX *mem_ctx,
const struct dom_sid *domain_sid,
struct samsync_context **ctx_p)
{
struct samsync_context *ctx;
*ctx_p = NULL;
ctx = TALLOC_ZERO_P(mem_ctx, struct samsync_context);
NT_STATUS_HAVE_NO_MEMORY(ctx);
if (domain_sid) {
ctx->domain_sid = sid_dup_talloc(mem_ctx, domain_sid);
NT_STATUS_HAVE_NO_MEMORY(ctx->domain_sid);
ctx->domain_sid_str = sid_string_talloc(mem_ctx, ctx->domain_sid);
NT_STATUS_HAVE_NO_MEMORY(ctx->domain_sid_str);
}
*ctx_p = ctx;
return NT_STATUS_OK;
}
static int net_idmap_aclmapset(struct net_context *c, int argc, const char **argv)
{
TALLOC_CTX *mem_ctx;
int result = -1;
DOM_SID src_sid, dst_sid;
char *src, *dst;
struct db_context *db;
struct db_record *rec;
NTSTATUS status;
if (argc != 3 || c->display_usage) {
d_fprintf(stderr, _("usage: net idmap aclmapset <tdb> "
"<src-sid> <dst-sid>\n"));
return -1;
}
if (!(mem_ctx = talloc_init("net idmap aclmapset"))) {
d_fprintf(stderr, _("talloc_init failed\n"));
return -1;
}
if (!(db = db_open(mem_ctx, argv[0], 0, TDB_DEFAULT,
O_RDWR|O_CREAT, 0600))) {
d_fprintf(stderr, _("db_open failed: %s\n"), strerror(errno));
goto fail;
}
if (!string_to_sid(&src_sid, argv[1])) {
d_fprintf(stderr, _("%s is not a valid sid\n"), argv[1]);
goto fail;
}
if (!string_to_sid(&dst_sid, argv[2])) {
d_fprintf(stderr, _("%s is not a valid sid\n"), argv[2]);
goto fail;
}
if (!(src = sid_string_talloc(mem_ctx, &src_sid))
|| !(dst = sid_string_talloc(mem_ctx, &dst_sid))) {
d_fprintf(stderr, _("talloc_strdup failed\n"));
goto fail;
}
if (!(rec = db->fetch_locked(
db, mem_ctx, string_term_tdb_data(src)))) {
d_fprintf(stderr, _("could not fetch db record\n"));
goto fail;
}
status = rec->store(rec, string_term_tdb_data(dst), 0);
TALLOC_FREE(rec);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, _("could not store record: %s\n"),
nt_errstr(status));
goto fail;
}
result = 0;
fail:
TALLOC_FREE(mem_ctx);
return result;
}
/* dump sam database via samsync rpc calls */
NTSTATUS rpc_vampire_internals(struct net_context *c,
const DOM_SID *domain_sid,
const char *domain_name,
struct cli_state *cli,
struct rpc_pipe_client *pipe_hnd,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS result;
struct samsync_context *ctx = NULL;
if (!sid_equal(domain_sid, get_global_sam_sid())) {
d_printf("Cannot import users from %s at this time, "
"as the current domain:\n\t%s: %s\nconflicts "
"with the remote domain\n\t%s: %s\n"
"Perhaps you need to set: \n\n\tsecurity=user\n\t"
"workgroup=%s\n\n in your smb.conf?\n",
domain_name,
get_global_sam_name(),
sid_string_dbg(get_global_sam_sid()),
domain_name,
sid_string_dbg(domain_sid),
domain_name);
return NT_STATUS_UNSUCCESSFUL;
}
result = libnet_samsync_init_context(mem_ctx,
domain_sid,
&ctx);
if (!NT_STATUS_IS_OK(result)) {
return result;
}
ctx->mode = NET_SAMSYNC_MODE_FETCH_PASSDB;
ctx->cli = pipe_hnd;
ctx->ops = &libnet_samsync_passdb_ops;
ctx->domain_name = domain_name;
ctx->force_full_replication = c->opt_force_full_repl ? true : false;
ctx->clean_old_entries = c->opt_clean_old_entries ? true : false;
parse_samsync_partial_replication_objects(ctx, argc, argv,
&ctx->single_object_replication,
&ctx->objects,
&ctx->num_objects);
/* fetch domain */
result = libnet_samsync(SAM_DATABASE_DOMAIN, ctx);
if (!NT_STATUS_IS_OK(result) && ctx->error_message) {
d_fprintf(stderr, "%s\n", ctx->error_message);
goto fail;
}
if (ctx->result_message) {
d_fprintf(stdout, "%s\n", ctx->result_message);
}
/* fetch builtin */
ctx->domain_sid = sid_dup_talloc(mem_ctx, &global_sid_Builtin);
ctx->domain_sid_str = sid_string_talloc(mem_ctx, ctx->domain_sid);
result = libnet_samsync(SAM_DATABASE_BUILTIN, ctx);
if (!NT_STATUS_IS_OK(result) && ctx->error_message) {
d_fprintf(stderr, "%s\n", ctx->error_message);
goto fail;
}
if (ctx->result_message) {
d_fprintf(stdout, "%s\n", ctx->result_message);
}
fail:
TALLOC_FREE(ctx);
return result;
}
static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom,
struct id_map **ids)
{
LDAPMessage *entry = NULL;
NTSTATUS ret;
TALLOC_CTX *memctx;
struct idmap_ldap_context *ctx;
LDAPMessage *result = NULL;
const char *uidNumber;
const char *gidNumber;
const char **attr_list;
char *filter = NULL;
bool multi = False;
int idx = 0;
int bidx = 0;
int count;
int rc;
int i;
/* Only do query if we are online */
if (idmap_is_offline()) {
return NT_STATUS_FILE_IS_OFFLINE;
}
ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
memctx = talloc_new(ctx);
if ( ! memctx) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER);
gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER);
attr_list = get_attr_list(memctx, sidmap_attr_list);
if ( ! ids[1]) {
/* if we are requested just one mapping use the simple filter */
filter = talloc_asprintf(memctx, "(&(objectClass=%s)(%s=%s))",
LDAP_OBJ_IDMAP_ENTRY,
LDAP_ATTRIBUTE_SID,
sid_string_talloc(memctx, ids[0]->sid));
CHECK_ALLOC_DONE(filter);
DEBUG(10, ("Filter: [%s]\n", filter));
} else {
/* multiple mappings */
multi = True;
}
for (i = 0; ids[i]; i++) {
ids[i]->status = ID_UNKNOWN;
}
again:
if (multi) {
TALLOC_FREE(filter);
filter = talloc_asprintf(memctx,
"(&(objectClass=%s)(|",
LDAP_OBJ_IDMAP_ENTRY);
CHECK_ALLOC_DONE(filter);
bidx = idx;
for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
filter = talloc_asprintf_append_buffer(filter, "(%s=%s)",
LDAP_ATTRIBUTE_SID,
sid_string_talloc(memctx,
ids[idx]->sid));
CHECK_ALLOC_DONE(filter);
}
filter = talloc_asprintf_append_buffer(filter, "))");
CHECK_ALLOC_DONE(filter);
DEBUG(10, ("Filter: [%s]", filter));
} else {
bidx = 0;
idx = 1;
}
rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE,
filter, attr_list, 0, &result);
if (rc != LDAP_SUCCESS) {
DEBUG(3,("Failure looking up sids (%s)\n",
ldap_err2string(rc)));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
count = ldap_count_entries(ctx->smbldap_state->ldap_struct, result);
if (count == 0) {
DEBUG(10, ("NO SIDs found\n"));
}
for (i = 0; i < count; i++) {
char *sidstr = NULL;
char *tmp = NULL;
enum id_type type;
struct id_map *map;
struct dom_sid sid;
uint32_t id;
if (i == 0) { /* first entry */
entry = ldap_first_entry(ctx->smbldap_state->ldap_struct,
result);
} else { /* following ones */
entry = ldap_next_entry(ctx->smbldap_state->ldap_struct,
entry);
}
if ( ! entry) {
DEBUG(2, ("ERROR: Unable to fetch ldap entries "
"from results\n"));
break;
}
/* first check if the SID is present */
sidstr = smbldap_talloc_single_attribute(
ctx->smbldap_state->ldap_struct,
entry, LDAP_ATTRIBUTE_SID, memctx);
if ( ! sidstr) { /* no sid ??, skip entry */
DEBUG(2, ("WARNING SID not found on entry\n"));
continue;
}
if ( ! string_to_sid(&sid, sidstr)) {
DEBUG(2, ("ERROR: Invalid SID on entry\n"));
TALLOC_FREE(sidstr);
continue;
}
map = idmap_find_map_by_sid(&ids[bidx], &sid);
if (!map) {
DEBUG(2, ("WARNING: couldn't find entry sid (%s) "
"in ids", sidstr));
TALLOC_FREE(sidstr);
continue;
}
/* now try to see if it is a uid, if not try with a gid
* (gid is more common, but in case both uidNumber and
* gidNumber are returned the SID is mapped to the uid
* not the gid) */
type = ID_TYPE_UID;
tmp = smbldap_talloc_single_attribute(
ctx->smbldap_state->ldap_struct,
entry, uidNumber, memctx);
if ( ! tmp) {
type = ID_TYPE_GID;
tmp = smbldap_talloc_single_attribute(
ctx->smbldap_state->ldap_struct,
entry, gidNumber, memctx);
}
if ( ! tmp) { /* no ids ?? */
DEBUG(5, ("no uidNumber, "
"nor gidNumber attributes found\n"));
TALLOC_FREE(sidstr);
continue;
}
id = strtoul(tmp, NULL, 10);
if (!idmap_unix_id_is_in_range(id, dom)) {
DEBUG(5, ("Requested id (%u) out of range (%u - %u). "
"Filtered!\n", id,
dom->low_id, dom->high_id));
TALLOC_FREE(sidstr);
TALLOC_FREE(tmp);
continue;
}
TALLOC_FREE(tmp);
if (map->status == ID_MAPPED) {
DEBUG(1, ("WARNING: duplicate %s mapping in LDAP. "
"overwriting mapping %s -> %u with %s -> %u\n",
(type == ID_TYPE_UID) ? "UID" : "GID",
sidstr, map->xid.id, sidstr, id));
}
TALLOC_FREE(sidstr);
/* mapped */
map->xid.type = type;
map->xid.id = id;
map->status = ID_MAPPED;
DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
(unsigned long)map->xid.id, map->xid.type));
}
/* free the ldap results */
if (result) {
ldap_msgfree(result);
result = NULL;
}
if (multi && ids[idx]) { /* still some values to map */
goto again;
}
/*
* try to create new mappings for unmapped sids
*/
for (i = 0; ids[i]; i++) {
if (ids[i]->status != ID_MAPPED) {
ids[i]->status = ID_UNMAPPED;
if (ids[i]->sid != NULL) {
ret = idmap_ldap_new_mapping(dom, ids[i]);
if (!NT_STATUS_IS_OK(ret)) {
goto done;
}
}
}
}
ret = NT_STATUS_OK;
done:
talloc_free(memctx);
return ret;
}
static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom,
const struct id_map *map)
{
NTSTATUS ret;
TALLOC_CTX *memctx;
struct idmap_ldap_context *ctx;
LDAPMessage *entry = NULL;
LDAPMod **mods = NULL;
const char *type;
char *id_str;
char *sid;
char *dn;
int rc = -1;
/* Only do query if we are online */
if (idmap_is_offline()) {
return NT_STATUS_FILE_IS_OFFLINE;
}
ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context);
switch(map->xid.type) {
case ID_TYPE_UID:
type = get_attr_key2string(sidmap_attr_list,
LDAP_ATTR_UIDNUMBER);
break;
case ID_TYPE_GID:
type = get_attr_key2string(sidmap_attr_list,
LDAP_ATTR_GIDNUMBER);
break;
default:
return NT_STATUS_INVALID_PARAMETER;
}
memctx = talloc_new(ctx);
if ( ! memctx) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
id_str = talloc_asprintf(memctx, "%lu", (unsigned long)map->xid.id);
CHECK_ALLOC_DONE(id_str);
sid = talloc_strdup(memctx, sid_string_talloc(memctx, map->sid));
CHECK_ALLOC_DONE(sid);
dn = talloc_asprintf(memctx, "%s=%s,%s",
get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
sid,
ctx->suffix);
CHECK_ALLOC_DONE(dn);
smbldap_set_mod(&mods, LDAP_MOD_ADD,
"objectClass", LDAP_OBJ_IDMAP_ENTRY);
smbldap_make_mod(ctx->smbldap_state->ldap_struct,
entry, &mods, type, id_str);
smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods,
get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
sid);
if ( ! mods) {
DEBUG(2, ("ERROR: No mods?\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
/* TODO: remove conflicting mappings! */
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY);
DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str));
rc = smbldap_add(ctx->smbldap_state, dn, mods);
ldap_mods_free(mods, True);
if (rc != LDAP_SUCCESS) {
char *ld_error = NULL;
ldap_get_option(ctx->smbldap_state->ldap_struct,
LDAP_OPT_ERROR_STRING, &ld_error);
DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu "
"mapping [%s]\n", sid,
(unsigned long)map->xid.id, type));
DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
if (ld_error) {
ldap_memfree(ld_error);
}
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to "
"%lu [%s]\n", sid, (unsigned long)map->xid.id, type));
ret = NT_STATUS_OK;
done:
talloc_free(memctx);
return ret;
}
char *sid_string_tos(const struct dom_sid *sid)
{
return sid_string_talloc(talloc_tos(), sid);
}
NTSTATUS rpc_vampire_ldif_internals(struct net_context *c,
const DOM_SID *domain_sid,
const char *domain_name,
struct cli_state *cli,
struct rpc_pipe_client *pipe_hnd,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status;
struct samsync_context *ctx = NULL;
status = libnet_samsync_init_context(mem_ctx,
domain_sid,
&ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (argc >= 1) {
ctx->output_filename = argv[0];
}
if (argc >= 2) {
parse_samsync_partial_replication_objects(ctx, argc-1, argv+1,
&ctx->single_object_replication,
&ctx->objects,
&ctx->num_objects);
}
ctx->mode = NET_SAMSYNC_MODE_FETCH_LDIF;
ctx->cli = pipe_hnd;
ctx->ops = &libnet_samsync_ldif_ops;
ctx->domain_name = domain_name;
ctx->force_full_replication = c->opt_force_full_repl ? true : false;
ctx->clean_old_entries = c->opt_clean_old_entries ? true : false;
/* fetch domain */
status = libnet_samsync(SAM_DATABASE_DOMAIN, ctx);
if (!NT_STATUS_IS_OK(status) && ctx->error_message) {
d_fprintf(stderr, "%s\n", ctx->error_message);
goto fail;
}
if (ctx->result_message) {
d_fprintf(stdout, "%s\n", ctx->result_message);
}
/* fetch builtin */
ctx->domain_sid = sid_dup_talloc(mem_ctx, &global_sid_Builtin);
ctx->domain_sid_str = sid_string_talloc(mem_ctx, ctx->domain_sid);
status = libnet_samsync(SAM_DATABASE_BUILTIN, ctx);
if (!NT_STATUS_IS_OK(status) && ctx->error_message) {
d_fprintf(stderr, "%s\n", ctx->error_message);
goto fail;
}
if (ctx->result_message) {
d_fprintf(stdout, "%s\n", ctx->result_message);
}
fail:
TALLOC_FREE(ctx);
return status;
}
char *sid_string_tos(const DOM_SID *sid)
{
return sid_string_talloc(talloc_tos(), sid);
}
enum winbindd_result winbindd_dual_list_trusted_domains(struct winbindd_domain *domain,
struct winbindd_cli_state *state)
{
uint32 i, num_domains;
char **names, **alt_names;
DOM_SID *sids;
int extra_data_len = 0;
char *extra_data;
NTSTATUS result;
bool have_own_domain = False;
DEBUG(3, ("[%5lu]: list trusted domains\n",
(unsigned long)state->pid));
result = domain->methods->trusted_domains(domain, state->mem_ctx,
&num_domains, &names,
&alt_names, &sids);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("winbindd_dual_list_trusted_domains: trusted_domains returned %s\n",
nt_errstr(result) ));
return WINBINDD_ERROR;
}
extra_data = talloc_strdup(state->mem_ctx, "");
if (num_domains > 0)
extra_data = talloc_asprintf(
state->mem_ctx, "%s\\%s\\%s",
names[0], alt_names[0] ? alt_names[0] : names[0],
sid_string_talloc(state->mem_ctx, &sids[0]));
for (i=1; i<num_domains; i++)
extra_data = talloc_asprintf(
state->mem_ctx, "%s\n%s\\%s\\%s",
extra_data, names[i],
alt_names[i] ? alt_names[i] : names[i],
sid_string_talloc(state->mem_ctx, &sids[i]));
/* add our primary domain */
for (i=0; i<num_domains; i++) {
if (strequal(names[i], domain->name)) {
have_own_domain = True;
break;
}
}
if (state->request->data.list_all_domains && !have_own_domain) {
extra_data = talloc_asprintf(
state->mem_ctx, "%s\n%s\\%s\\%s",
extra_data, domain->name,
domain->alt_name ? domain->alt_name : domain->name,
sid_string_talloc(state->mem_ctx, &domain->sid));
}
/* This is a bit excessive, but the extra data sooner or later will be
talloc'ed */
extra_data_len = 0;
if (extra_data != NULL) {
extra_data_len = strlen(extra_data);
}
if (extra_data_len > 0) {
state->response->extra_data.data = extra_data;
state->response->length += extra_data_len+1;
}
return WINBINDD_OK;
}
enum winbindd_result winbindd_dual_list_trusted_domains(struct winbindd_domain *domain,
struct winbindd_cli_state *state)
{
int i;
int extra_data_len = 0;
char *extra_data;
NTSTATUS result;
bool have_own_domain = False;
struct netr_DomainTrustList trusts;
DEBUG(3, ("[%5lu]: list trusted domains\n",
(unsigned long)state->pid));
result = domain->methods->trusted_domains(domain, state->mem_ctx,
&trusts);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("winbindd_dual_list_trusted_domains: trusted_domains returned %s\n",
nt_errstr(result) ));
return WINBINDD_ERROR;
}
extra_data = talloc_strdup(state->mem_ctx, "");
for (i=0; i<trusts.count; i++) {
if (trusts.array[i].sid == NULL) {
continue;
}
if (dom_sid_equal(trusts.array[i].sid, &global_sid_NULL)) {
continue;
}
extra_data = talloc_asprintf_append_buffer(
extra_data, "%s\\%s\\%s\\%u\\%u\\%u\n",
trusts.array[i].netbios_name, trusts.array[i].dns_name,
sid_string_talloc(state->mem_ctx, trusts.array[i].sid),
trusts.array[i].trust_flags,
(uint32_t)trusts.array[i].trust_type,
trusts.array[i].trust_attributes);
}
/* add our primary domain */
for (i=0; i<trusts.count; i++) {
if (strequal(trusts.array[i].netbios_name, domain->name)) {
have_own_domain = True;
break;
}
}
if (state->request->data.list_all_domains && !have_own_domain) {
extra_data = talloc_asprintf_append_buffer(
extra_data, "%s\\%s\\%s\n", domain->name,
domain->alt_name != NULL ?
domain->alt_name :
domain->name,
sid_string_talloc(state->mem_ctx, &domain->sid));
}
extra_data_len = strlen(extra_data);
if (extra_data_len > 0) {
/* Strip the last \n */
extra_data[extra_data_len-1] = '\0';
state->response->extra_data.data = extra_data;
state->response->length += extra_data_len;
}
return WINBINDD_OK;
}
char *sid_string_dbg(const DOM_SID *sid)
{
return sid_string_talloc(debug_ctx(), sid);
}
