/*******************************************************************
compare 2 strings up to and including the nth char.
******************************************************************/
BOOL strnequal(const char *s1,const char *s2,size_t n)
{
if (s1 == s2) return(True);
if (!s1 || !s2 || !n) return(False);
return(StrnCaseCmp(s1,s2,n)==0);
}
/*********************************************************
Figure out if the input was an NT group or a SID string.
Return the SID.
**********************************************************/
static bool get_sid_from_input(DOM_SID *sid, char *input)
{
GROUP_MAP map;
if (StrnCaseCmp( input, "S-", 2)) {
/* Perhaps its the NT group name? */
if (!pdb_getgrnam(&map, input)) {
printf(_("NT Group %s doesn't exist in mapping DB\n"),
input);
return false;
} else {
*sid = map.sid;
}
} else {
if (!string_to_sid(sid, input)) {
printf(_("converting sid %s from a string failed!\n"),
input);
return false;
}
}
return true;
}
/************************************************************************
makes a struct sam_passwd from a NIS+ object.
************************************************************************/
static BOOL make_sam_from_nisp_object(SAM_ACCOUNT *pw_buf, nis_object *obj)
{
char *ptr;
pstring full_name; /* this must be translated to dos code page */
pstring acct_desc; /* this must be translated to dos code page */
pstring home_dir; /* set default value from smb.conf for user */
pstring home_drive; /* set default value from smb.conf for user */
pstring logon_script; /* set default value from smb.conf for user */
pstring profile_path; /* set default value from smb.conf for user */
pstring hours;
int hours_len;
unsigned char smbpwd[16];
unsigned char smbntpwd[16];
/*
* time values. note: this code assumes 32bit time_t!
*/
pdb_set_logon_time(pw_buf, (time_t)0);
ptr = ENTRY_VAL(obj, NPF_LOGON_T);
if(ptr && *ptr && (StrnCaseCmp(ptr, "LNT-", 4)==0)) {
int i;
ptr += 4;
for(i = 0; i < 8; i++) {
if(ptr[i] == '\0' || !isxdigit(ptr[i]))
break;
}
if(i == 8) {
pdb_set_logon_time(pw_buf, (time_t)strtol(ptr, NULL, 16));
}
}
pdb_set_logoff_time(pw_buf, get_time_t_max());
ptr = ENTRY_VAL(obj, NPF_LOGOFF_T);
if(ptr && *ptr && (StrnCaseCmp(ptr, "LOT-", 4)==0)) {
int i;
ptr += 4;
for(i = 0; i < 8; i++) {
if(ptr[i] == '\0' || !isxdigit(ptr[i]))
break;
}
if(i == 8) {
pdb_set_logoff_time(pw_buf, (time_t)strtol(ptr, NULL, 16));
}
}
pdb_set_kickoff_time(pw_buf, get_time_t_max());
ptr = ENTRY_VAL(obj, NPF_KICK_T);
if(ptr && *ptr && (StrnCaseCmp(ptr, "KOT-", 4)==0)) {
int i;
ptr += 4;
for(i = 0; i < 8; i++) {
if(ptr[i] == '\0' || !isxdigit(ptr[i]))
break;
}
if(i == 8) {
pdb_set_kickoff_time(pw_buf, (time_t)strtol(ptr, NULL, 16));
}
}
pdb_set_pass_last_set_time(pw_buf, (time_t)0);
ptr = ENTRY_VAL(obj, NPF_PWDLSET_T);
if(ptr && *ptr && (StrnCaseCmp(ptr, "LCT-", 4)==0)) {
int i;
ptr += 4;
for(i = 0; i < 8; i++) {
if(ptr[i] == '\0' || !isxdigit(ptr[i]))
break;
}
if(i == 8) {
pdb_set_pass_last_set_time(pw_buf, (time_t)strtol(ptr, NULL, 16));
}
}
pdb_set_pass_can_change_time(pw_buf, (time_t)0);
ptr = ENTRY_VAL(obj, NPF_PWDCCHG_T);
if(ptr && *ptr && (StrnCaseCmp(ptr, "CCT-", 4)==0)) {
int i;
ptr += 4;
for(i = 0; i < 8; i++) {
if(ptr[i] == '\0' || !isxdigit(ptr[i]))
break;
}
if(i == 8) {
pdb_set_pass_can_change_time(pw_buf, (time_t)strtol(ptr, NULL, 16));
}
}
pdb_set_pass_must_change_time(pw_buf, get_time_t_max()); /* Password never expires. */
ptr = ENTRY_VAL(obj, NPF_PWDMCHG_T);
if(ptr && *ptr && (StrnCaseCmp(ptr, "MCT-", 4)==0)) {
int i;
ptr += 4;
for(i = 0; i < 8; i++) {
if(ptr[i] == '\0' || !isxdigit(ptr[i]))
break;
}
if(i == 8) {
pdb_set_pass_must_change_time(pw_buf, (time_t)strtol(ptr, NULL, 16));
}
}
/* string values */
pdb_set_username(pw_buf, ENTRY_VAL(obj, NPF_NAME));
pdb_set_domain(pw_buf, lp_workgroup());
/* pdb_set_nt_username() -- cant set it here... */
get_single_attribute(obj, NPF_FULL_NAME, full_name, sizeof(pstring));
unix_to_dos(full_name);
pdb_set_fullname(pw_buf, full_name);
pdb_set_acct_ctrl(pw_buf, pdb_decode_acct_ctrl(ENTRY_VAL(obj,
NPF_ACB)));
get_single_attribute(obj, NPF_ACCT_DESC, acct_desc, sizeof(pstring));
unix_to_dos(acct_desc);
pdb_set_acct_desc(pw_buf, acct_desc);
pdb_set_workstations(pw_buf, ENTRY_VAL(obj, NPF_WORKSTATIONS));
pdb_set_munged_dial(pw_buf, NULL);
/* Might want to consult sys_getpwnam for the following two.
for now, use same default as pdb_fill-default_sam */
ptr = ENTRY_VAL(obj, NPF_UID);
pdb_set_uid(pw_buf, ptr ? atoi(ptr) : -1);
ptr = ENTRY_VAL(obj, NPF_SMB_GRPID);
pdb_set_gid(pw_buf, ptr ? atoi(ptr) : -1);
ptr = ENTRY_VAL(obj, NPF_USER_RID);
pdb_set_user_rid(pw_buf, ptr ? atoi(ptr) :
pdb_uid_to_user_rid(pdb_get_uid(pw_buf)));
ptr = ENTRY_VAL(obj, NPF_GROUP_RID);
pdb_set_group_rid(pw_buf, ptr ? atoi(ptr) :
pdb_gid_to_group_rid(pdb_get_gid(pw_buf)));
/* values, must exist for user */
if( !(pdb_get_acct_ctrl(pw_buf) & ACB_WSTRUST) ) {
/* FIXME!! This doesn't belong here.
Should be set in net_sam_logon()
--jerry */
pstrcpy(samlogon_user, pdb_get_username(pw_buf));
get_single_attribute(obj, NPF_HOME_DIR, home_dir, sizeof(pstring));
if( !(home_dir && *home_dir) ) {
pstrcpy(home_dir, lp_logon_home());
pdb_set_homedir(pw_buf, home_dir, False);
}
else
pdb_set_homedir(pw_buf, home_dir, True);
get_single_attribute(obj, NPF_DIR_DRIVE, home_drive, sizeof(pstring));
if( !(home_drive && *home_drive) ) {
pstrcpy(home_drive, lp_logon_drive());
pdb_set_dir_drive(pw_buf, home_drive, False);
}
else
pdb_set_dir_drive(pw_buf, home_drive, True);
get_single_attribute(obj, NPF_LOGON_SCRIPT, logon_script,
sizeof(pstring));
if( !(logon_script && *logon_script) ) {
pstrcpy(logon_script, lp_logon_script());
pdb_set_logon_script(pw_buf, logon_script, False);
}
else
pdb_set_logon_script(pw_buf, logon_script, True);
get_single_attribute(obj, NPF_PROFILE_PATH, profile_path, sizeof(pstring));
if( !(profile_path && *profile_path) ) {
pstrcpy(profile_path, lp_logon_path());
pdb_set_profile_path(pw_buf, profile_path, False);
}
else
pdb_set_profile_path(pw_buf, profile_path, True);
}
else
{
/* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */
pdb_set_group_rid (pw_buf, DOMAIN_GROUP_RID_USERS);
}
/* Check the lanman password column. */
ptr = ENTRY_VAL(obj, NPF_LMPWD);
if (!pdb_set_lanman_passwd(pw_buf, NULL))
return False;
if (!strncasecmp(ptr, "NO PASSWORD", 11)) {
pdb_set_acct_ctrl(pw_buf, pdb_get_acct_ctrl(pw_buf) | ACB_PWNOTREQ);
} else {
if (strlen(ptr) != 32 || !pdb_gethexpwd(ptr, smbpwd)) {
DEBUG(0, ("malformed LM pwd entry: %s.\n",
pdb_get_username(pw_buf)));
return False;
}
if (!pdb_set_lanman_passwd(pw_buf, smbpwd))
return False;
}
/* Check the NT password column. */
ptr = ENTRY_VAL(obj, NPF_NTPWD);
if (!pdb_set_nt_passwd(pw_buf, NULL))
return False;
if (!(pdb_get_acct_ctrl(pw_buf) & ACB_PWNOTREQ) &&
strncasecmp(ptr, "NO PASSWORD", 11)) {
if (strlen(ptr) != 32 || !pdb_gethexpwd(ptr, smbntpwd)) {
DEBUG(0, ("malformed NT pwd entry:\
uid = %d.\n",
pdb_get_uid(pw_buf)));
return False;
}
if (!pdb_set_nt_passwd(pw_buf, smbntpwd))
return False;
}
int main(int argc, const char **argv)
{
int opt;
static const char *helper_protocol;
static int diagnostics;
static const char *hex_challenge;
static const char *hex_lm_response;
static const char *hex_nt_response;
poptContext pc;
/* NOTE: DO NOT change this interface without considering the implications!
This is an external interface, which other programs will use to interact
with this helper.
*/
/* We do not use single-letter command abbreviations, because they harm future
interface stability. */
struct poptOption long_options[] = {
POPT_AUTOHELP
{ "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"},
{ "username", 0, POPT_ARG_STRING, &opt_username, OPT_USERNAME, "username"},
{ "domain", 0, POPT_ARG_STRING, &opt_domain, OPT_DOMAIN, "domain name"},
{ "workstation", 0, POPT_ARG_STRING, &opt_workstation, OPT_WORKSTATION, "workstation"},
{ "challenge", 0, POPT_ARG_STRING, &hex_challenge, OPT_CHALLENGE, "challenge (HEX encoded)"},
{ "lm-response", 0, POPT_ARG_STRING, &hex_lm_response, OPT_LM, "LM Response to the challenge (HEX encoded)"},
{ "nt-response", 0, POPT_ARG_STRING, &hex_nt_response, OPT_NT, "NT or NTLMv2 Response to the challenge (HEX encoded)"},
{ "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"},
{ "request-lm-key", 0, POPT_ARG_NONE, &request_lm_key, OPT_LM_KEY, "Retrieve LM session key"},
{ "request-nt-key", 0, POPT_ARG_NONE, &request_user_session_key, OPT_USER_SESSION_KEY, "Retrieve User (NT) session key"},
{ "diagnostics", 0, POPT_ARG_NONE, &diagnostics, OPT_DIAGNOSTICS, "Perform diagnostics on the authentictaion chain"},
{ "require-membership-of", 0, POPT_ARG_STRING, &require_membership_of, OPT_REQUIRE_MEMBERSHIP, "Require that a user be a member of this group (either name or SID) for authentication to succeed" },
POPT_COMMON_SAMBA
POPT_TABLEEND
};
/* Samba client initialisation */
load_case_tables();
dbf = x_stderr;
/* Samba client initialisation */
if (!lp_load(dyn_CONFIGFILE, True, False, False, True)) {
d_fprintf(stderr, "ntlm_auth: error opening config file %s. Error was %s\n",
dyn_CONFIGFILE, strerror(errno));
exit(1);
}
/* Parse options */
pc = poptGetContext("ntlm_auth", argc, argv, long_options, 0);
/* Parse command line options */
if (argc == 1) {
poptPrintHelp(pc, stderr, 0);
return 1;
}
pc = poptGetContext(NULL, argc, (const char **)argv, long_options,
POPT_CONTEXT_KEEP_FIRST);
while((opt = poptGetNextOpt(pc)) != -1) {
switch (opt) {
case OPT_CHALLENGE:
opt_challenge = strhex_to_data_blob(NULL, hex_challenge);
if (opt_challenge.length != 8) {
x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
hex_challenge,
(int)opt_challenge.length);
exit(1);
}
break;
case OPT_LM:
opt_lm_response = strhex_to_data_blob(NULL, hex_lm_response);
if (opt_lm_response.length != 24) {
x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
hex_lm_response,
(int)opt_lm_response.length);
exit(1);
}
break;
case OPT_NT:
opt_nt_response = strhex_to_data_blob(NULL, hex_nt_response);
if (opt_nt_response.length < 24) {
x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
hex_nt_response,
(int)opt_nt_response.length);
exit(1);
}
break;
case OPT_REQUIRE_MEMBERSHIP:
if (StrnCaseCmp("S-", require_membership_of, 2) == 0) {
require_membership_of_sid = require_membership_of;
}
break;
}
}
if (opt_username) {
char *domain = SMB_STRDUP(opt_username);
char *p = strchr_m(domain, *lp_winbind_separator());
if (p) {
opt_username = p+1;
*p = '\0';
if (opt_domain && !strequal(opt_domain, domain)) {
x_fprintf(x_stderr, "Domain specified in username (%s) "
"doesn't match specified domain (%s)!\n\n",
domain, opt_domain);
poptPrintHelp(pc, stderr, 0);
exit(1);
}
opt_domain = domain;
} else {
SAFE_FREE(domain);
}
}
if (opt_domain == NULL || !*opt_domain) {
opt_domain = get_winbind_domain();
}
if (opt_workstation == NULL) {
opt_workstation = "";
}
if (helper_protocol) {
int i;
for (i=0; i<NUM_HELPER_MODES; i++) {
if (strcmp(helper_protocol, stdio_helper_protocols[i].name) == 0) {
squid_stream(stdio_helper_protocols[i].mode, stdio_helper_protocols[i].fn);
exit(0);
}
}
x_fprintf(x_stderr, "unknown helper protocol [%s]\n\nValid helper protools:\n\n", helper_protocol);
for (i=0; i<NUM_HELPER_MODES; i++) {
x_fprintf(x_stderr, "%s\n", stdio_helper_protocols[i].name);
}
exit(1);
}
if (!opt_username || !*opt_username) {
x_fprintf(x_stderr, "username must be specified!\n\n");
poptPrintHelp(pc, stderr, 0);
exit(1);
}
if (opt_challenge.length) {
if (!check_auth_crap()) {
exit(1);
}
exit(0);
}
if (!opt_password) {
opt_password = getpass("password: "******"%s%c%s", opt_domain, winbind_separator(), opt_username);
if (!check_plaintext_auth(user, opt_password, True)) {
return 1;
}
}
/* Exit code */
poptFreeContext(pc);
return 0;
}
BOOL string_to_sid(DOM_SID *sidout, const char *sidstr)
{
pstring tok;
char *q;
const char *p;
/* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
uint32 ia;
if (StrnCaseCmp( sidstr, "S-", 2)) {
DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr));
return False;
}
memset((char *)sidout, '\0', sizeof(DOM_SID));
p = q = SMB_STRDUP(sidstr + 2);
if (p == NULL) {
DEBUG(0, ("string_to_sid: out of memory!\n"));
return False;
}
if (!next_token(&p, tok, "-", sizeof(tok))) {
DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
SAFE_FREE(q);
return False;
}
/* Get the revision number. */
sidout->sid_rev_num = (uint8)strtoul(tok, NULL, 10);
if (!next_token(&p, tok, "-", sizeof(tok))) {
DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
SAFE_FREE(q);
return False;
}
/* identauth in decimal should be < 2^32 */
ia = (uint32)strtoul(tok, NULL, 10);
/* NOTE - the ia value is in big-endian format. */
sidout->id_auth[0] = 0;
sidout->id_auth[1] = 0;
sidout->id_auth[2] = (ia & 0xff000000) >> 24;
sidout->id_auth[3] = (ia & 0x00ff0000) >> 16;
sidout->id_auth[4] = (ia & 0x0000ff00) >> 8;
sidout->id_auth[5] = (ia & 0x000000ff);
sidout->num_auths = 0;
while(next_token(&p, tok, "-", sizeof(tok)) &&
sidout->num_auths < MAXSUBAUTHS) {
/*
* NOTE - the subauths are in native machine-endian format. They
* are converted to little-endian when linearized onto the wire.
*/
sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10));
}
SAFE_FREE(q);
return True;
}
/*********************************************************
List the groups.
**********************************************************/
static int net_groupmap_list(struct net_context *c, int argc, const char **argv)
{
size_t entries;
bool long_list = false;
size_t i;
fstring ntgroup = "";
fstring sid_string = "";
const char list_usage_str[] = N_("net groupmap list [verbose] "
"[ntgroup=NT group] [sid=SID]\n"
" verbose\tPrint verbose list\n"
" ntgroup\tNT group to list\n"
" sid\tSID of group to list");
if (c->display_usage) {
d_printf("%s\n%s\n", _("Usage: "), list_usage_str);
return 0;
}
if (c->opt_verbose || c->opt_long_list_entries)
long_list = true;
/* get the options */
for ( i=0; i<argc; i++ ) {
if ( !StrCaseCmp(argv[i], "verbose")) {
long_list = true;
}
else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
fstrcpy( ntgroup, get_string_param( argv[i] ) );
if ( !ntgroup[0] ) {
d_fprintf(stderr, _("must supply a name\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
fstrcpy( sid_string, get_string_param( argv[i] ) );
if ( !sid_string[0] ) {
d_fprintf(stderr, _("must supply a SID\n"));
return -1;
}
}
else {
d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
d_printf("%s\n%s\n", _("Usage:"), list_usage_str);
return -1;
}
}
/* list a single group is given a name */
if ( ntgroup[0] || sid_string[0] ) {
DOM_SID sid;
GROUP_MAP map;
if ( sid_string[0] )
fstrcpy( ntgroup, sid_string);
if (!get_sid_from_input(&sid, ntgroup)) {
return -1;
}
/* Get the current mapping from the database */
if(!pdb_getgrsid(&map, sid)) {
d_fprintf(stderr,
_("Failure to local group SID in the "
"database\n"));
return -1;
}
print_map_entry( map, long_list );
}
else {
GROUP_MAP *map=NULL;
/* enumerate all group mappings */
if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
return -1;
for (i=0; i<entries; i++) {
print_map_entry( map[i], long_list );
}
SAFE_FREE(map);
}
return 0;
}
static int net_groupmap_delete(struct net_context *c, int argc, const char **argv)
{
DOM_SID sid;
fstring ntgroup = "";
fstring sid_string = "";
int i;
const char delete_usage_str[] = N_("net groupmap delete "
"{ntgroup=<string>|sid=<SID>}");
if (c->display_usage) {
d_printf("%s\n%s\n", _("Usage:\n"), delete_usage_str);
return 0;
}
/* get the options */
for ( i=0; i<argc; i++ ) {
if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
fstrcpy( ntgroup, get_string_param( argv[i] ) );
if ( !ntgroup[0] ) {
d_fprintf(stderr, _("must supply a name\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
fstrcpy( sid_string, get_string_param( argv[i] ) );
if ( !sid_string[0] ) {
d_fprintf(stderr, _("must supply a SID\n"));
return -1;
}
}
else {
d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
return -1;
}
}
if ( !ntgroup[0] && !sid_string[0]) {
d_printf("%s\n%s\n", _("Usage:\n"), delete_usage_str);
return -1;
}
/* give preference to the SID if we have that */
if ( sid_string[0] )
fstrcpy( ntgroup, sid_string );
if ( !get_sid_from_input(&sid, ntgroup) ) {
d_fprintf(stderr, _("Unable to resolve group %s to a SID\n"),
ntgroup);
return -1;
}
if ( !NT_STATUS_IS_OK(pdb_delete_group_mapping_entry(sid)) ) {
d_fprintf(stderr,
_("Failed to remove group %s from the mapping db!\n"),
ntgroup);
return -1;
}
d_printf(_("Sucessfully removed %s from the mapping db\n"), ntgroup);
return 0;
}
static int net_groupmap_modify(struct net_context *c, int argc, const char **argv)
{
DOM_SID sid;
GROUP_MAP map;
fstring ntcomment = "";
fstring type = "";
fstring ntgroup = "";
fstring unixgrp = "";
fstring sid_string = "";
enum lsa_SidType sid_type = SID_NAME_UNKNOWN;
int i;
gid_t gid;
const char modify_usage_str[] = N_("net groupmap modify "
"{ntgroup=<string>|sid=<SID>} "
"[comment=<string>] "
"[unixgroup=<string>] "
"[type=<domain|local>]");
if (c->display_usage) {
d_printf("%s\n%s\n", _("Usage:\n"), modify_usage_str);
return 0;
}
/* get the options */
for ( i=0; i<argc; i++ ) {
if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
fstrcpy( ntgroup, get_string_param( argv[i] ) );
if ( !ntgroup[0] ) {
d_fprintf(stderr, _("must supply a name\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
fstrcpy( sid_string, get_string_param( argv[i] ) );
if ( !sid_string[0] ) {
d_fprintf(stderr, _("must supply a name\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) {
fstrcpy( ntcomment, get_string_param( argv[i] ) );
if ( !ntcomment[0] ) {
d_fprintf(stderr,
_("must supply a comment string\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) {
fstrcpy( unixgrp, get_string_param( argv[i] ) );
if ( !unixgrp[0] ) {
d_fprintf(stderr,
_("must supply a group name\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "type", strlen("type")) ) {
fstrcpy( type, get_string_param( argv[i] ) );
switch ( type[0] ) {
case 'd':
case 'D':
sid_type = SID_NAME_DOM_GRP;
break;
case 'l':
case 'L':
sid_type = SID_NAME_ALIAS;
break;
}
}
else {
d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
return -1;
}
}
if ( !ntgroup[0] && !sid_string[0] ) {
d_printf("%s\n%s\n", _("Usage:\n"), modify_usage_str);
return -1;
}
/* give preference to the SID; if both the ntgroup name and SID
are defined, use the SID and assume that the group name could be a
new name */
if ( sid_string[0] ) {
if (!get_sid_from_input(&sid, sid_string)) {
return -1;
}
}
else {
if (!get_sid_from_input(&sid, ntgroup)) {
return -1;
}
}
/* Get the current mapping from the database */
if(!pdb_getgrsid(&map, sid)) {
d_fprintf(stderr,
_("Failed to find local group SID in the database\n"));
return -1;
}
/*
* Allow changing of group type only between domain and local
* We disallow changing Builtin groups !!! (SID problem)
*/
if (sid_type == SID_NAME_UNKNOWN) {
d_fprintf(stderr, _("Can't map to an unknown group type.\n"));
return -1;
}
if (map.sid_name_use == SID_NAME_WKN_GRP) {
d_fprintf(stderr,
_("You can only change between domain and local "
"groups.\n"));
return -1;
}
map.sid_name_use=sid_type;
/* Change comment if new one */
if ( ntcomment[0] )
fstrcpy( map.comment, ntcomment );
if ( ntgroup[0] )
fstrcpy( map.nt_name, ntgroup );
if ( unixgrp[0] ) {
gid = nametogid( unixgrp );
if ( gid == -1 ) {
d_fprintf(stderr, _("Unable to lookup UNIX group %s. "
"Make sure the group exists.\n"),
unixgrp);
return -1;
}
map.gid = gid;
}
if ( !NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map)) ) {
d_fprintf(stderr, _("Could not update group database\n"));
return -1;
}
d_printf(_("Updated mapping entry for %s\n"), map.nt_name);
return 0;
}
static int net_groupmap_add(struct net_context *c, int argc, const char **argv)
{
DOM_SID sid;
fstring ntgroup = "";
fstring unixgrp = "";
fstring string_sid = "";
fstring type = "";
fstring ntcomment = "";
enum lsa_SidType sid_type = SID_NAME_DOM_GRP;
uint32 rid = 0;
gid_t gid;
int i;
GROUP_MAP map;
const char *name_type;
const char add_usage_str[] = N_("net groupmap add "
"{rid=<int>|sid=<string>}"
" unixgroup=<string> "
"[type=<domain|local|builtin>] "
"[ntgroup=<string>] "
"[comment=<string>]");
ZERO_STRUCT(map);
/* Default is domain group. */
map.sid_name_use = SID_NAME_DOM_GRP;
name_type = "domain group";
if (c->display_usage) {
d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
return 0;
}
/* get the options */
for ( i=0; i<argc; i++ ) {
if ( !StrnCaseCmp(argv[i], "rid", strlen("rid")) ) {
rid = get_int_param(argv[i]);
if ( rid < DOMAIN_GROUP_RID_ADMINS ) {
d_fprintf(stderr,
_("RID must be greater than %d\n"),
(uint32)DOMAIN_GROUP_RID_ADMINS-1);
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) {
fstrcpy( unixgrp, get_string_param( argv[i] ) );
if ( !unixgrp[0] ) {
d_fprintf(stderr,_( "must supply a name\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
fstrcpy( ntgroup, get_string_param( argv[i] ) );
if ( !ntgroup[0] ) {
d_fprintf(stderr, _("must supply a name\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
fstrcpy( string_sid, get_string_param( argv[i] ) );
if ( !string_sid[0] ) {
d_fprintf(stderr, _("must supply a SID\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) {
fstrcpy( ntcomment, get_string_param( argv[i] ) );
if ( !ntcomment[0] ) {
d_fprintf(stderr,
_("must supply a comment string\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "type", strlen("type")) ) {
fstrcpy( type, get_string_param( argv[i] ) );
switch ( type[0] ) {
case 'b':
case 'B':
sid_type = SID_NAME_WKN_GRP;
name_type = "wellknown group";
break;
case 'd':
case 'D':
sid_type = SID_NAME_DOM_GRP;
name_type = "domain group";
break;
case 'l':
case 'L':
sid_type = SID_NAME_ALIAS;
name_type = "alias (local) group";
break;
default:
d_fprintf(stderr,
_("unknown group type %s\n"),
type);
return -1;
}
}
else {
d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
return -1;
}
}
if ( !unixgrp[0] ) {
d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
return -1;
}
if ( (gid = nametogid(unixgrp)) == (gid_t)-1 ) {
d_fprintf(stderr, _("Can't lookup UNIX group %s\n"), unixgrp);
return -1;
}
{
if (pdb_getgrgid(&map, gid)) {
d_printf(_("Unix group %s already mapped to SID %s\n"),
unixgrp, sid_string_tos(&map.sid));
return -1;
}
}
if ( (rid == 0) && (string_sid[0] == '\0') ) {
d_printf(_("No rid or sid specified, choosing a RID\n"));
if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
if (!pdb_new_rid(&rid)) {
d_printf(_("Could not get new RID\n"));
}
} else {
rid = algorithmic_pdb_gid_to_group_rid(gid);
}
d_printf(_("Got RID %d\n"), rid);
}
/* append the rid to our own domain/machine SID if we don't have a full SID */
if ( !string_sid[0] ) {
sid_compose(&sid, get_global_sam_sid(), rid);
sid_to_fstring(string_sid, &sid);
}
if (!ntcomment[0]) {
switch (sid_type) {
case SID_NAME_WKN_GRP:
fstrcpy(ntcomment, "Wellknown Unix group");
break;
case SID_NAME_DOM_GRP:
fstrcpy(ntcomment, "Domain Unix group");
break;
case SID_NAME_ALIAS:
fstrcpy(ntcomment, "Local Unix group");
break;
default:
fstrcpy(ntcomment, "Unix group");
break;
}
}
if (!ntgroup[0] )
fstrcpy( ntgroup, unixgrp );
if (!NT_STATUS_IS_OK(add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment))) {
d_fprintf(stderr, _("adding entry for group %s failed!\n"), ntgroup);
return -1;
}
d_printf(_("Successfully added group %s to the mapping db as a %s\n"),
ntgroup, name_type);
return 0;
}
static void parse_samsync_partial_replication_objects(TALLOC_CTX *mem_ctx,
int argc,
const char **argv,
bool *do_single_object_replication,
struct samsync_object **objects,
uint32_t *num_objects)
{
int i;
if (argc > 0) {
*do_single_object_replication = true;
}
for (i=0; i<argc; i++) {
struct samsync_object o;
ZERO_STRUCT(o);
if (!StrnCaseCmp(argv[i], "user_rid=", strlen("user_rid="))) {
o.object_identifier.rid = get_int_param(argv[i]);
o.object_type = NETR_DELTA_USER;
o.database_id = SAM_DATABASE_DOMAIN;
}
if (!StrnCaseCmp(argv[i], "group_rid=", strlen("group_rid="))) {
o.object_identifier.rid = get_int_param(argv[i]);
o.object_type = NETR_DELTA_GROUP;
o.database_id = SAM_DATABASE_DOMAIN;
}
if (!StrnCaseCmp(argv[i], "group_member_rid=", strlen("group_member_rid="))) {
o.object_identifier.rid = get_int_param(argv[i]);
o.object_type = NETR_DELTA_GROUP_MEMBER;
o.database_id = SAM_DATABASE_DOMAIN;
}
if (!StrnCaseCmp(argv[i], "alias_rid=", strlen("alias_rid="))) {
o.object_identifier.rid = get_int_param(argv[i]);
o.object_type = NETR_DELTA_ALIAS;
o.database_id = SAM_DATABASE_BUILTIN;
}
if (!StrnCaseCmp(argv[i], "alias_member_rid=", strlen("alias_member_rid="))) {
o.object_identifier.rid = get_int_param(argv[i]);
o.object_type = NETR_DELTA_ALIAS_MEMBER;
o.database_id = SAM_DATABASE_BUILTIN;
}
if (!StrnCaseCmp(argv[i], "account_sid=", strlen("account_sid="))) {
const char *sid_str = get_string_param(argv[i]);
string_to_sid(&o.object_identifier.sid, sid_str);
o.object_type = NETR_DELTA_ACCOUNT;
o.database_id = SAM_DATABASE_PRIVS;
}
if (!StrnCaseCmp(argv[i], "policy_sid=", strlen("policy_sid="))) {
const char *sid_str = get_string_param(argv[i]);
string_to_sid(&o.object_identifier.sid, sid_str);
o.object_type = NETR_DELTA_POLICY;
o.database_id = SAM_DATABASE_PRIVS;
}
if (!StrnCaseCmp(argv[i], "trustdom_sid=", strlen("trustdom_sid="))) {
const char *sid_str = get_string_param(argv[i]);
string_to_sid(&o.object_identifier.sid, sid_str);
o.object_type = NETR_DELTA_TRUSTED_DOMAIN;
o.database_id = SAM_DATABASE_PRIVS;
}
if (!StrnCaseCmp(argv[i], "secret_name=", strlen("secret_name="))) {
o.object_identifier.name = get_string_param(argv[i]);
o.object_type = NETR_DELTA_SECRET;
o.database_id = SAM_DATABASE_PRIVS;
}
if (o.object_type > 0) {
ADD_TO_ARRAY(mem_ctx, struct samsync_object, o,
objects, num_objects);
}
}
}
char *alloc_sub_basic(const char *smb_name, const char *str)
{
char *b, *p, *s, *r, *a_string;
fstring pidstr;
struct passwd *pass;
const char *local_machine_name = get_local_machine_name();
/* workaround to prevent a crash while looking at bug #687 */
if (!str) {
DEBUG(0,("alloc_sub_basic: NULL source string! This should not happen\n"));
return NULL;
}
a_string = SMB_STRDUP(str);
if (a_string == NULL) {
DEBUG(0, ("alloc_sub_specified: Out of memory!\n"));
return NULL;
}
for (b = s = a_string; (p = strchr_m(s, '%')); s = a_string + (p - b)) {
r = NULL;
b = a_string;
switch (*(p+1)) {
case 'U' :
r = strdup_lower(smb_name);
if (r == NULL) {
goto error;
}
a_string = realloc_string_sub(a_string, "%U", r);
break;
case 'G' :
r = SMB_STRDUP(smb_name);
if (r == NULL) {
goto error;
}
if ((pass = Get_Pwnam(r))!=NULL) {
a_string = realloc_string_sub(a_string, "%G", gidtoname(pass->pw_gid));
}
break;
case 'D' :
r = strdup_upper(current_user_info.domain);
if (r == NULL) {
goto error;
}
a_string = realloc_string_sub(a_string, "%D", r);
break;
case 'I' :
a_string = realloc_string_sub(a_string, "%I", client_addr());
break;
case 'i':
a_string = realloc_string_sub( a_string, "%i", client_socket_addr() );
break;
case 'L' :
if ( StrnCaseCmp(p, "%LOGONSERVER%", strlen("%LOGONSERVER%")) == 0 ) {
break;
}
if (local_machine_name && *local_machine_name) {
a_string = realloc_string_sub(a_string, "%L", local_machine_name);
} else {
a_string = realloc_string_sub(a_string, "%L", global_myname());
}
break;
case 'N':
a_string = realloc_string_sub(a_string, "%N", automount_server(smb_name));
break;
case 'M' :
a_string = realloc_string_sub(a_string, "%M", client_name());
break;
case 'R' :
a_string = realloc_string_sub(a_string, "%R", remote_proto);
break;
case 'T' :
a_string = realloc_string_sub(a_string, "%T", timestring(False));
break;
case 'a' :
a_string = realloc_string_sub(a_string, "%a", remote_arch);
break;
case 'd' :
slprintf(pidstr,sizeof(pidstr)-1, "%d",(int)sys_getpid());
a_string = realloc_string_sub(a_string, "%d", pidstr);
break;
case 'h' :
a_string = realloc_string_sub(a_string, "%h", myhostname());
break;
case 'm' :
a_string = realloc_string_sub(a_string, "%m", remote_machine);
break;
case 'v' :
a_string = realloc_string_sub(a_string, "%v", SAMBA_VERSION_STRING);
break;
case 'w' :
a_string = realloc_string_sub(a_string, "%w", lp_winbind_separator());
break;
case '$' :
a_string = realloc_expand_env_var(a_string, p); /* Expand environment variables */
break;
case '(':
a_string = realloc_expand_longvar( a_string, p );
break;
default:
break;
}
p++;
SAFE_FREE(r);
if ( !a_string ) {
return NULL;
}
}
return a_string;
error:
SAFE_FREE(a_string);
return NULL;
}
