static int net_lookup_sid(struct net_context *c, int argc, const char **argv)
{
const char *dom, *name;
struct dom_sid sid;
enum lsa_SidType type;
if (argc != 1) {
d_printf("%s\n%s",
_("Usage:"),
_(" net lookup sid <sid>\n"));
return -1;
}
if (!string_to_sid(&sid, argv[0])) {
d_printf(_("Could not convert %s to SID\n"), argv[0]);
return -1;
}
if (!lookup_sid(talloc_tos(), &sid,
&dom, &name, &type)) {
d_printf(_("Could not lookup name %s\n"), argv[0]);
return -1;
}
d_printf("%s %d (%s) %s\\%s\n", sid_string_tos(&sid),
type, sid_type_lookup(type), dom, name);
return 0;
}
/*
convert a domain SID to a user or group name
*/
static NTSTATUS sid_to_name(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *sid,
char **domain_name,
char **name,
enum lsa_SidType *type)
{
const char *dom, *nam;
DEBUG(10, ("Converting SID %s\n", sid_string_static(sid)));
/* Paranoia check */
if (!sid_check_is_in_builtin(sid) &&
!sid_check_is_in_our_domain(sid)) {
DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with "
"passdb backend\n", sid_string_static(sid)));
return NT_STATUS_NONE_MAPPED;
}
if (!lookup_sid(mem_ctx, sid, &dom, &nam, type)) {
return NT_STATUS_NONE_MAPPED;
}
*domain_name = talloc_strdup(mem_ctx, dom);
*name = talloc_strdup(mem_ctx, nam);
return NT_STATUS_OK;
}
NTSTATUS pdb_create_builtin_alias(uint32 rid)
{
DOM_SID sid;
enum lsa_SidType type;
gid_t gid;
GROUP_MAP map;
TALLOC_CTX *mem_ctx;
NTSTATUS status;
const char *name = NULL;
fstring groupname;
DEBUG(10, ("Trying to create builtin alias %d\n", rid));
if ( !sid_compose( &sid, &global_sid_Builtin, rid ) ) {
return NT_STATUS_NO_SUCH_ALIAS;
}
if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
return NT_STATUS_NO_MEMORY;
}
if ( !lookup_sid(mem_ctx, &sid, NULL, &name, &type) ) {
TALLOC_FREE( mem_ctx );
return NT_STATUS_NO_SUCH_ALIAS;
}
/* validate RID so copy the name and move on */
fstrcpy( groupname, name );
TALLOC_FREE( mem_ctx );
if (!winbind_allocate_gid(&gid)) {
DEBUG(3, ("pdb_create_builtin_alias: Could not get a gid out of winbind\n"));
return NT_STATUS_ACCESS_DENIED;
}
DEBUG(10,("Creating alias %s with gid %d\n", groupname, gid));
map.gid = gid;
sid_copy(&map.sid, &sid);
map.sid_name_use = SID_NAME_ALIAS;
fstrcpy(map.nt_name, groupname);
fstrcpy(map.comment, "");
status = pdb_add_group_mapping_entry(&map);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("pdb_create_builtin_alias: Could not add group mapping entry for alias %d "
"(%s)\n", rid, nt_errstr(status)));
}
return status;
}
static NTSTATUS rids_to_names(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *domain_sid,
uint32 *rids,
size_t num_rids,
char **domain_name,
char ***names,
enum lsa_SidType **types)
{
size_t i;
bool have_mapped;
bool have_unmapped;
*domain_name = NULL;
*names = NULL;
*types = NULL;
if (!num_rids) {
return NT_STATUS_OK;
}
*names = TALLOC_ARRAY(mem_ctx, char *, num_rids);
*types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
if ((*names == NULL) || (*types == NULL)) {
return NT_STATUS_NO_MEMORY;
}
have_mapped = have_unmapped = false;
for (i=0; i<num_rids; i++) {
DOM_SID sid;
const char *dom = NULL, *nam = NULL;
enum lsa_SidType type = SID_NAME_UNKNOWN;
if (!sid_compose(&sid, domain_sid, rids[i])) {
return NT_STATUS_INTERNAL_ERROR;
}
if (!lookup_sid(mem_ctx, &sid, &dom, &nam, &type)) {
have_unmapped = true;
(*types)[i] = SID_NAME_UNKNOWN;
(*names)[i] = talloc_strdup(mem_ctx, "");
} else {
have_mapped = true;
(*types)[i] = type;
(*names)[i] = CONST_DISCARD(char *, nam);
}
if (domain_name == NULL) {
*domain_name = CONST_DISCARD(char *, dom);
} else {
//Store the mask and username in the file_perms structure.
//call lookup_sid to get the username
void acl_info( PACL pACL, ULONG AceCount, file_perms fp[]){
for (ULONG acl_index = 0;acl_index < AceCount;acl_index++){
ACCESS_ALLOWED_ACE* pACE;
if (GetAce(pACL, acl_index, (PVOID*)&pACE))
{
char user_domain[2050]="";
lookup_sid(pACE,user_domain);
strcpy(fp[acl_index].user_domain,user_domain);
fp[acl_index].user_mask=(ULONG)pACE->Mask;
}
}
}
static BOOL nt_to_afs_acl(const char *filename,
uint32 security_info_sent,
struct security_descriptor *psd,
uint32 (*nt_to_afs_rights)(const char *filename,
const SEC_ACE *ace),
struct afs_acl *afs_acl)
{
SEC_ACL *dacl;
int i;
/* Currently we *only* look at the dacl */
if (((security_info_sent & DACL_SECURITY_INFORMATION) == 0) ||
(psd->dacl == NULL))
return True;
if (!init_afs_acl(afs_acl))
return False;
dacl = psd->dacl;
for (i = 0; i < dacl->num_aces; i++) {
SEC_ACE *ace = &(dacl->ace[i]);
const char *dom_name, *name;
enum lsa_SidType name_type;
char *p;
if (ace->type != SEC_ACE_TYPE_ACCESS_ALLOWED) {
/* First cut: Only positive ACEs */
return False;
}
if (!mappable_sid(&ace->trustee)) {
DEBUG(10, ("Ignoring unmappable SID %s\n",
sid_string_static(&ace->trustee)));
continue;
}
if (sid_compare(&ace->trustee,
&global_sid_Builtin_Administrators) == 0) {
name = "system:administrators";
} else if (sid_compare(&ace->trustee,
&global_sid_World) == 0) {
name = "system:anyuser";
} else if (sid_compare(&ace->trustee,
&global_sid_Authenticated_Users) == 0) {
name = "system:authuser";
} else if (sid_compare(&ace->trustee,
&global_sid_Builtin_Backup_Operators)
== 0) {
name = "system:backup";
} else {
if (!lookup_sid(tmp_talloc_ctx(), &ace->trustee,
&dom_name, &name, &name_type)) {
DEBUG(1, ("AFSACL: Could not lookup SID %s on file %s\n",
sid_string_static(&ace->trustee), filename));
continue;
}
if ( (name_type == SID_NAME_USER) ||
(name_type == SID_NAME_DOM_GRP) ||
(name_type == SID_NAME_ALIAS) ) {
char *tmp;
tmp = talloc_asprintf(tmp_talloc_ctx(), "%s%s%s",
dom_name, lp_winbind_separator(),
name);
if (tmp == NULL) {
return False;
}
strlower_m(tmp);
name = tmp;
}
if (sidpts) {
/* Expect all users/groups in pts as SIDs */
name = talloc_strdup(
tmp_talloc_ctx(),
sid_string_static(&ace->trustee));
if (name == NULL) {
return False;
}
}
}
while ((p = strchr_m(name, ' ')) != NULL)
*p = space_replacement;
add_afs_ace(afs_acl, True, name,
nt_to_afs_rights(filename, ace));
}
return True;
}
static struct afs_ace *new_afs_ace(TALLOC_CTX *mem_ctx,
BOOL positive,
const char *name, uint32 rights)
{
DOM_SID sid;
enum lsa_SidType type;
struct afs_ace *result;
if (strcmp(name, "system:administrators") == 0) {
sid_copy(&sid, &global_sid_Builtin_Administrators);
type = SID_NAME_ALIAS;
} else if (strcmp(name, "system:anyuser") == 0) {
sid_copy(&sid, &global_sid_World);
type = SID_NAME_ALIAS;
} else if (strcmp(name, "system:authuser") == 0) {
sid_copy(&sid, &global_sid_Authenticated_Users);
type = SID_NAME_WKN_GRP;
} else if (strcmp(name, "system:backup") == 0) {
sid_copy(&sid, &global_sid_Builtin_Backup_Operators);
type = SID_NAME_ALIAS;
} else if (sidpts) {
/* All PTS users/groups are expressed as SIDs */
sid_copy(&sid, &global_sid_NULL);
type = SID_NAME_UNKNOWN;
if (string_to_sid(&sid, name)) {
const char *user, *domain;
/* We have to find the type, look up the SID */
lookup_sid(tmp_talloc_ctx(), &sid,
&domain, &user, &type);
}
} else {
const char *domain, *uname;
char *p;
p = strchr_m(name, *lp_winbind_separator());
if (p != NULL) {
*p = '\\';
}
if (!lookup_name(tmp_talloc_ctx(), name, LOOKUP_NAME_ALL,
&domain, &uname, &sid, &type)) {
DEBUG(10, ("Could not find AFS user %s\n", name));
sid_copy(&sid, &global_sid_NULL);
type = SID_NAME_UNKNOWN;
}
}
result = TALLOC_P(mem_ctx, struct afs_ace);
if (result == NULL) {
DEBUG(0, ("Could not talloc AFS ace\n"));
return NULL;
}
result->name = talloc_strdup(mem_ctx, name);
if (result->name == NULL) {
DEBUG(0, ("Could not talloc AFS ace name\n"));
return NULL;
}
result->sid = sid;
result->type = type;
result->positive = positive;
result->rights = rights;
return result;
}
const DOM_SID *pdb_get_group_sid(struct samu *sampass)
{
DOM_SID *gsid;
struct passwd *pwd;
/* Return the cached group SID if we have that */
if ( sampass->group_sid ) {
return sampass->group_sid;
}
/* generate the group SID from the user's primary Unix group */
if ( !(gsid = TALLOC_P( sampass, DOM_SID )) ) {
return NULL;
}
/* No algorithmic mapping, meaning that we have to figure out the
primary group SID according to group mapping and the user SID must
be a newly allocated one. We rely on the user's Unix primary gid.
We have no choice but to fail if we can't find it. */
if ( sampass->unix_pw ) {
pwd = sampass->unix_pw;
} else {
pwd = Get_Pwnam_alloc( sampass, pdb_get_username(sampass) );
}
if ( !pwd ) {
DEBUG(0,("pdb_get_group_sid: Failed to find Unix account for %s\n", pdb_get_username(sampass) ));
return NULL;
}
if ( pdb_gid_to_sid(pwd->pw_gid, gsid) ) {
enum lsa_SidType type = SID_NAME_UNKNOWN;
TALLOC_CTX *mem_ctx = talloc_init("pdb_get_group_sid");
bool lookup_ret;
if (!mem_ctx) {
return NULL;
}
/* Now check that it's actually a domain group and not something else */
lookup_ret = lookup_sid(mem_ctx, gsid, NULL, NULL, &type);
TALLOC_FREE( mem_ctx );
if ( lookup_ret && (type == SID_NAME_DOM_GRP) ) {
sampass->group_sid = gsid;
return sampass->group_sid;
}
DEBUG(3, ("Primary group for user %s is a %s and not a domain group\n",
pwd->pw_name, sid_type_lookup(type)));
}
/* Just set it to the 'Domain Users' RID of 512 which will
always resolve to a name */
sid_compose(gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
sampass->group_sid = gsid;
return sampass->group_sid;
}
