static int collect_aliasmem(struct db_record *rec, void *priv)
{
struct aliasmem_state *state = (struct aliasmem_state *)priv;
const char *p;
char *alias_string;
TALLOC_CTX *frame;
if (strncmp((const char *)rec->key.dptr, MEMBEROF_PREFIX,
MEMBEROF_PREFIX_LEN) != 0)
return 0;
p = (const char *)rec->value.dptr;
frame = talloc_stackframe();
while (next_token_talloc(frame, &p, &alias_string, " ")) {
struct dom_sid alias, member;
const char *member_string;
uint32_t num_sids;
if (!string_to_sid(&alias, alias_string))
continue;
if (dom_sid_compare(state->alias, &alias) != 0)
continue;
/* Ok, we found the alias we're looking for in the membership
* list currently scanned. The key represents the alias
* member. Add that. */
member_string = strchr((const char *)rec->key.dptr, '/');
/* Above we tested for MEMBEROF_PREFIX which includes the
* slash. */
SMB_ASSERT(member_string != NULL);
member_string += 1;
if (!string_to_sid(&member, member_string))
continue;
num_sids = *state->num;
if (!NT_STATUS_IS_OK(add_sid_to_array(state->mem_ctx, &member,
state->sids,
&num_sids)))
{
/* talloc fail. */
break;
}
*state->num = num_sids;
}
TALLOC_FREE(frame);
return 0;
}
void add_sid_to_array_unique(const DOM_SID *sid, DOM_SID **sids, int *num_sids)
{
int i;
for (i=0; i<(*num_sids); i++) {
if (sid_compare(sid, &(*sids)[i]) == 0)
return;
}
add_sid_to_array(sid, sids, num_sids);
}
static int priv_traverse_fn(struct db_record *rec, void *state)
{
PRIV_SID_LIST *priv = (PRIV_SID_LIST *)state;
int prefixlen = strlen(PRIVPREFIX);
DOM_SID sid;
fstring sid_string;
/* easy check first */
if (rec->value.dsize != sizeof(SE_PRIV) )
return 0;
/* check we have a PRIV_+SID entry */
if ( strncmp((char *)rec->key.dptr, PRIVPREFIX, prefixlen) != 0)
return 0;
/* check to see if we are looking for a particular privilege */
if ( !se_priv_equal(&priv->privilege, &se_priv_none) ) {
SE_PRIV mask;
se_priv_copy( &mask, (SE_PRIV*)rec->value.dptr );
/* if the SID does not have the specified privilege
then just return */
if ( !is_privilege_assigned( &mask, &priv->privilege) )
return 0;
}
fstrcpy( sid_string, (char *)&(rec->key.dptr[strlen(PRIVPREFIX)]) );
/* this is a last ditch safety check to preventing returning
and invalid SID (i've somehow run into this on development branches) */
if ( strcmp( "S-0-0", sid_string ) == 0 )
return 0;
if ( !string_to_sid(&sid, sid_string) ) {
DEBUG(0,("travsersal_fn_enum__acct: Could not convert SID [%s]\n",
sid_string));
return 0;
}
if (!NT_STATUS_IS_OK(add_sid_to_array(priv->mem_ctx, &sid,
&priv->sids.list,
&priv->sids.count)))
{
return 0;
}
return 0;
}
NTSTATUS add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
DOM_SID **sids, size_t *num_sids)
{
size_t i;
for (i=0; i<(*num_sids); i++) {
if (sid_compare(sid, &(*sids)[i]) == 0)
return NT_STATUS_OK;
}
return add_sid_to_array(mem_ctx, sid, sids, num_sids);
}
static int priv_traverse_fn(TDB_CONTEXT *t, TDB_DATA key, TDB_DATA data, void *state)
{
PRIV_SID_LIST *priv = state;
int prefixlen = strlen(PRIVPREFIX);
DOM_SID sid;
fstring sid_string;
/* easy check first */
if ( data.dsize != sizeof(SE_PRIV) )
return 0;
/* check we have a PRIV_+SID entry */
if ( strncmp(key.dptr, PRIVPREFIX, prefixlen) != 0)
return 0;
/* check to see if we are looking for a particular privilege */
if ( !se_priv_equal(&priv->privilege, &se_priv_none) ) {
SE_PRIV mask;
se_priv_copy( &mask, (SE_PRIV*)data.dptr );
/* if the SID does not have the specified privilege
then just return */
if ( !is_privilege_assigned( &mask, &priv->privilege) )
return 0;
}
fstrcpy( sid_string, &key.dptr[strlen(PRIVPREFIX)] );
/* this is a last ditch safety check to preventing returning
and invalid SID (i've somehow run into this on development branches) */
if ( strcmp( "S-0-0", sid_string ) == 0 )
return 0;
if ( !string_to_sid(&sid, sid_string) ) {
DEBUG(0,("travsersal_fn_enum__acct: Could not convert SID [%s]\n",
sid_string));
return 0;
}
add_sid_to_array( NULL, &sid, &priv->sids.list, &priv->sids.count );
return 0;
}
struct security_token *registry_create_system_token(TALLOC_CTX *mem_ctx)
{
struct security_token *token = NULL;
token = talloc_zero(mem_ctx, struct security_token);
if (!token) {
DEBUG(1,("talloc failed\n"));
return NULL;
}
token->privilege_mask = SE_ALL_PRIVS;
if (!NT_STATUS_IS_OK(add_sid_to_array(token, &global_sid_System,
&token->sids, &token->num_sids))) {
DEBUG(1,("Error adding nt-authority system sid to token\n"));
return NULL;
}
return token;
}
struct nt_user_token *registry_create_system_token(TALLOC_CTX *mem_ctx)
{
struct nt_user_token *token = NULL;
token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token);
if (!token) {
DEBUG(1,("talloc failed\n"));
return NULL;
}
token->privileges = se_priv_all;
if (!NT_STATUS_IS_OK(add_sid_to_array(token, &global_sid_System,
&token->user_sids, &token->num_sids))) {
DEBUG(1,("Error adding nt-authority system sid to token\n"));
return NULL;
}
return token;
}
bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
DOM_SID **sids, size_t *num_sids)
{
const char *p, *q;
p = sidstr;
if (p == NULL)
return False;
while (p[0] != '\0') {
fstring tmp;
size_t sidlen;
DOM_SID sid;
q = strchr(p, '\n');
if (q == NULL) {
DEBUG(0, ("Got invalid sidstr: %s\n", p));
return False;
}
sidlen = PTR_DIFF(q, p);
if (sidlen >= sizeof(tmp)-1) {
return false;
}
memcpy(tmp, p, sidlen);
tmp[sidlen] = '\0';
q += 1;
if (!string_to_sid(&sid, tmp)) {
DEBUG(0, ("Could not parse sid %s\n", p));
return False;
}
if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids,
num_sids)))
{
return False;
}
p = q;
}
return True;
}
/* Lookup groups a user is a member of. */
static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
uint32 *p_num_groups, struct dom_sid **user_sids)
{
ADS_STRUCT *ads = NULL;
const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
ADS_STATUS rc;
int count;
LDAPMessage *msg = NULL;
char *user_dn = NULL;
struct dom_sid *sids;
int i;
struct dom_sid primary_group;
uint32 primary_group_rid;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
uint32_t num_groups = 0;
DEBUG(3,("ads: lookup_usergroups\n"));
*p_num_groups = 0;
status = lookup_usergroups_cached(domain, mem_ctx, sid,
p_num_groups, user_sids);
if (NT_STATUS_IS_OK(status)) {
return NT_STATUS_OK;
}
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
domain->name));
/* Tell the cache manager not to remember this one */
return NT_STATUS_SYNCHRONIZATION_REQUIRED;
}
ads = ads_cached_connection(domain);
if (!ads) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
status = NT_STATUS_SERVER_DISABLED;
goto done;
}
rc = ads_search_retry_sid(ads, &msg, sid, attrs);
if (!ADS_ERR_OK(rc)) {
status = ads_ntstatus(rc);
DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
"%s\n", sid_string_dbg(sid), ads_errstr(rc)));
goto done;
}
count = ads_count_replies(ads, msg);
if (count != 1) {
status = NT_STATUS_UNSUCCESSFUL;
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
"invalid number of results (count=%d)\n",
sid_string_dbg(sid), count));
goto done;
}
if (!msg) {
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
sid_string_dbg(sid)));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
}
user_dn = ads_get_dn(ads, mem_ctx, msg);
if (user_dn == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
DEBUG(1,("%s: No primary group for sid=%s !?\n",
domain->name, sid_string_dbg(sid)));
goto done;
}
sid_compose(&primary_group, &domain->sid, primary_group_rid);
count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
/* there must always be at least one group in the token,
unless we are talking to a buggy Win2k server */
/* actually this only happens when the machine account has no read
* permissions on the tokenGroup attribute - gd */
if (count == 0) {
/* no tokenGroups */
/* lookup what groups this user is a member of by DN search on
* "memberOf" */
status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
&primary_group,
&num_groups, user_sids);
*p_num_groups = num_groups;
if (NT_STATUS_IS_OK(status)) {
goto done;
}
/* lookup what groups this user is a member of by DN search on
* "member" */
status = lookup_usergroups_member(domain, mem_ctx, user_dn,
&primary_group,
&num_groups, user_sids);
*p_num_groups = num_groups;
goto done;
}
*user_sids = NULL;
num_groups = 0;
status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
&num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
for (i=0;i<count;i++) {
/* ignore Builtin groups from ADS - Guenther */
if (sid_check_is_in_builtin(&sids[i])) {
continue;
}
status = add_sid_to_array_unique(mem_ctx, &sids[i],
user_sids, &num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
*p_num_groups = (uint32)num_groups;
status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
sid_string_dbg(sid)));
done:
TALLOC_FREE(user_dn);
ads_msgfree(ads, msg);
return status;
}
/* Lookup groups a user is a member of - alternate method, for when
tokenGroups are not available. */
static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const char *user_dn,
struct dom_sid *primary_group,
uint32_t *p_num_groups,
struct dom_sid **user_sids)
{
ADS_STATUS rc;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
ADS_STRUCT *ads;
const char *attrs[] = {"memberOf", NULL};
uint32_t num_groups = 0;
struct dom_sid *group_sids = NULL;
int i;
char **strings = NULL;
size_t num_strings = 0, num_sids = 0;
DEBUG(3,("ads: lookup_usergroups_memberof\n"));
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
"domain %s\n", domain->name));
return NT_STATUS_OK;
}
ads = ads_cached_connection(domain);
if (!ads) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
return NT_STATUS_UNSUCCESSFUL;
}
rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
ADS_EXTENDED_DN_HEX_STRING,
&strings, &num_strings);
if (!ADS_ERR_OK(rc)) {
DEBUG(1,("lookup_usergroups_memberof ads_search "
"member=%s: %s\n", user_dn, ads_errstr(rc)));
return ads_ntstatus(rc);
}
*user_sids = NULL;
num_groups = 0;
/* always add the primary group to the sid array */
status = add_sid_to_array(mem_ctx, primary_group, user_sids,
&num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
if (!group_sids) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
for (i=0; i<num_strings; i++) {
rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
ADS_EXTENDED_DN_HEX_STRING,
&(group_sids)[i]);
if (!ADS_ERR_OK(rc)) {
/* ignore members without SIDs */
if (NT_STATUS_EQUAL(ads_ntstatus(rc),
NT_STATUS_NOT_FOUND)) {
continue;
}
else {
status = ads_ntstatus(rc);
goto done;
}
}
num_sids++;
}
if (i == 0) {
DEBUG(1,("No memberOf for this user?!?\n"));
status = NT_STATUS_NO_MEMORY;
goto done;
}
for (i=0; i<num_sids; i++) {
/* ignore Builtin groups from ADS - Guenther */
if (sid_check_is_in_builtin(&group_sids[i])) {
continue;
}
status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
&num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
*p_num_groups = num_groups;
status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
user_dn));
done:
TALLOC_FREE(strings);
TALLOC_FREE(group_sids);
return status;
}
/* Lookup groups a user is a member of - alternate method, for when
tokenGroups are not available. */
static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const char *user_dn,
struct dom_sid *primary_group,
uint32_t *p_num_groups, struct dom_sid **user_sids)
{
ADS_STATUS rc;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
int count;
LDAPMessage *res = NULL;
LDAPMessage *msg = NULL;
char *ldap_exp;
ADS_STRUCT *ads;
const char *group_attrs[] = {"objectSid", NULL};
char *escaped_dn;
uint32_t num_groups = 0;
DEBUG(3,("ads: lookup_usergroups_member\n"));
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
domain->name));
return NT_STATUS_OK;
}
ads = ads_cached_connection(domain);
if (!ads) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
goto done;
}
if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
ldap_exp = talloc_asprintf(mem_ctx,
"(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
escaped_dn,
ADS_LDAP_MATCHING_RULE_BIT_AND,
GROUP_TYPE_SECURITY_ENABLED);
if (!ldap_exp) {
DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
TALLOC_FREE(escaped_dn);
status = NT_STATUS_NO_MEMORY;
goto done;
}
TALLOC_FREE(escaped_dn);
rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
if (!ADS_ERR_OK(rc) || !res) {
DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
return ads_ntstatus(rc);
}
count = ads_count_replies(ads, res);
*user_sids = NULL;
num_groups = 0;
/* always add the primary group to the sid array */
status = add_sid_to_array(mem_ctx, primary_group, user_sids,
&num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (count > 0) {
for (msg = ads_first_entry(ads, res); msg;
msg = ads_next_entry(ads, msg)) {
struct dom_sid group_sid;
if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
DEBUG(1,("No sid for this group ?!?\n"));
continue;
}
/* ignore Builtin groups from ADS - Guenther */
if (sid_check_is_in_builtin(&group_sid)) {
continue;
}
status = add_sid_to_array(mem_ctx, &group_sid,
user_sids, &num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
}
*p_num_groups = num_groups;
status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
done:
if (res)
ads_msgfree(ads, res);
return status;
}
NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
const struct netr_SamInfo3 *info3,
struct dom_sid **user_sids,
uint32_t *num_user_sids,
bool include_user_group_rid)
{
NTSTATUS status;
struct dom_sid sid;
struct dom_sid *sid_array = NULL;
uint32_t num_sids = 0;
int i;
if (include_user_group_rid) {
if (!sid_compose(&sid, info3->base.domain_sid, info3->base.rid)) {
DEBUG(3, ("could not compose user SID from rid 0x%x\n",
info3->base.rid));
return NT_STATUS_INVALID_PARAMETER;
}
status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not append user SID from rid 0x%x\n",
info3->base.rid));
return status;
}
}
if (!sid_compose(&sid, info3->base.domain_sid, info3->base.primary_gid)) {
DEBUG(3, ("could not compose group SID from rid 0x%x\n",
info3->base.primary_gid));
return NT_STATUS_INVALID_PARAMETER;
}
status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not append group SID from rid 0x%x\n",
info3->base.rid));
return status;
}
for (i = 0; i < info3->base.groups.count; i++) {
/* Don't add the primary group sid twice. */
if (info3->base.primary_gid == info3->base.groups.rids[i].rid) {
continue;
}
if (!sid_compose(&sid, info3->base.domain_sid,
info3->base.groups.rids[i].rid)) {
DEBUG(3, ("could not compose SID from additional group "
"rid 0x%x\n", info3->base.groups.rids[i].rid));
return NT_STATUS_INVALID_PARAMETER;
}
status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not append SID from additional group "
"rid 0x%x\n", info3->base.groups.rids[i].rid));
return status;
}
}
/* Copy 'other' sids. We need to do sid filtering here to
prevent possible elevation of privileges. See:
http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
*/
for (i = 0; i < info3->sidcount; i++) {
status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
&sid_array, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not add SID to array: %s\n",
sid_string_dbg(info3->sids[i].sid)));
return status;
}
}
*user_sids = sid_array;
*num_user_sids = num_sids;
return NT_STATUS_OK;
}
enum winbindd_result winbindd_dual_getsidaliases(struct winbindd_domain *domain,
struct winbindd_cli_state *state)
{
DOM_SID *sids = NULL;
size_t num_sids = 0;
char *sidstr = NULL;
ssize_t len;
size_t i;
uint32 num_aliases;
uint32 *alias_rids;
NTSTATUS result;
DEBUG(3, ("[%5lu]: getsidaliases\n", (unsigned long)state->pid));
sidstr = state->request->extra_data.data;
if (sidstr == NULL) {
sidstr = talloc_strdup(state->mem_ctx, "\n"); /* No SID */
if (!sidstr) {
DEBUG(0, ("Out of memory\n"));
return WINBINDD_ERROR;
}
}
DEBUG(10, ("Sidlist: %s\n", sidstr));
if (!parse_sidlist(state->mem_ctx, sidstr, &sids, &num_sids)) {
DEBUG(0, ("Could not parse SID list: %s\n", sidstr));
return WINBINDD_ERROR;
}
num_aliases = 0;
alias_rids = NULL;
result = domain->methods->lookup_useraliases(domain,
state->mem_ctx,
num_sids, sids,
&num_aliases,
&alias_rids);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("Could not lookup_useraliases: %s\n",
nt_errstr(result)));
return WINBINDD_ERROR;
}
num_sids = 0;
sids = NULL;
sidstr = NULL;
DEBUG(10, ("Got %d aliases\n", num_aliases));
for (i=0; i<num_aliases; i++) {
DOM_SID sid;
DEBUGADD(10, (" rid %d\n", alias_rids[i]));
sid_copy(&sid, &domain->sid);
sid_append_rid(&sid, alias_rids[i]);
result = add_sid_to_array(state->mem_ctx, &sid, &sids,
&num_sids);
if (!NT_STATUS_IS_OK(result)) {
return WINBINDD_ERROR;
}
}
if (!print_sidlist(state->mem_ctx, sids, num_sids, &sidstr, &len)) {
DEBUG(0, ("Could not print_sidlist\n"));
state->response->extra_data.data = NULL;
return WINBINDD_ERROR;
}
state->response->extra_data.data = NULL;
if (sidstr) {
state->response->extra_data.data = sidstr;
DEBUG(10, ("aliases_list: %s\n",
(char *)state->response->extra_data.data));
state->response->length += len+1;
state->response->data.num_entries = num_sids;
}
return WINBINDD_OK;
}
