Exemple #1
0
NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
				struct netr_SamInfo6 *sam6)
{
	struct pdb_domain_info *dominfo;
	struct netr_SamInfo3 *info3;

	if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
		DEBUG(10,("Not adding validation info level 6 "
			   "without ADS passdb backend\n"));
		return NT_STATUS_INVALID_INFO_CLASS;
	}

	dominfo = pdb_get_domain_info(sam6);
	if (dominfo == NULL) {
		return NT_STATUS_NO_MEMORY;
	}

	info3 = copy_netr_SamInfo3(sam6, server_info->info3);
	if (!info3) {
		return NT_STATUS_NO_MEMORY;
	}

	if (server_info->session_key.length) {
		memcpy(info3->base.key.key,
		       server_info->session_key.data,
		       MIN(sizeof(info3->base.key.key),
			   server_info->session_key.length));
	}
	if (server_info->lm_session_key.length) {
		memcpy(info3->base.LMSessKey.key,
		       server_info->lm_session_key.data,
		       MIN(sizeof(info3->base.LMSessKey.key),
			   server_info->lm_session_key.length));
	}

	sam6->base = info3->base;

	sam6->sidcount		= 0;
	sam6->sids		= NULL;

	sam6->dns_domainname.string = talloc_strdup(sam6, dominfo->dns_domain);
	if (sam6->dns_domainname.string == NULL) {
		return NT_STATUS_NO_MEMORY;
	}

	sam6->principal_name.string = talloc_asprintf(
		sam6, "%s@%s", sam6->base.account_name.string,
		sam6->dns_domainname.string);
	if (sam6->principal_name.string == NULL) {
		return NT_STATUS_NO_MEMORY;
	}

	return NT_STATUS_OK;
}
bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
{
	struct GUID *dyn_guid;
	fstring key;
	size_t size = 0;
	struct GUID new_guid;

#if _SAMBA_BUILD_ == 4
	if (strequal(domain, get_global_sam_name()) &&
	    (pdb_capabilities() & PDB_CAP_ADS)) {
		struct pdb_domain_info *domain_info;
		domain_info = pdb_get_domain_info(talloc_tos());
		if (!domain_info) {
			/* If we have a ADS-capable passdb backend, we
			 * must never make up our own SID, it will
			 * already be in the directory */
			DEBUG(0, ("Unable to fetch a Domain GUID from the directory!\n"));
			return false;
		}

		*guid = domain_info->guid;
		return true;
	}
#endif

	slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
	strupper_m(key);
	dyn_guid = (struct GUID *)secrets_fetch(key, &size);

	if (!dyn_guid) {
		if (lp_server_role() == ROLE_DOMAIN_PDC) {
			new_guid = GUID_random();
			if (!secrets_store_domain_guid(domain, &new_guid))
				return False;
			dyn_guid = (struct GUID *)secrets_fetch(key, &size);
		}
		if (dyn_guid == NULL) {
			return False;
		}
	}

	if (size != sizeof(struct GUID)) {
		DEBUG(1,("UUID size %d is wrong!\n", (int)size));
		SAFE_FREE(dyn_guid);
		return False;
	}

	*guid = *dyn_guid;
	SAFE_FREE(dyn_guid);
	return True;
}
bool secrets_store_domain_guid(const char *domain, struct GUID *guid)
{
	fstring key;

#if _SAMBA_BUILD_ == 4
	if (strequal(domain, get_global_sam_name()) &&
	    (pdb_capabilities() & PDB_CAP_ADS)) {
		/* If we have a ADS-capable passdb backend, we
		 * must never make up our own GUID, it will
		 * already be in the directory */
		DEBUG(0, ("Refusing to store a Domain GUID, this should be read from the directory not stored here\n"));
		return false;
	}
#endif

	slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
	strupper_m(key);
	return secrets_store(key, guid, sizeof(struct GUID));
}
bool secrets_store_domain_sid(const char *domain, const struct dom_sid  *sid)
{
	bool ret;

#if _SAMBA_BUILD_ == 4
	if (strequal(domain, get_global_sam_name()) &&
	    (pdb_capabilities() & PDB_CAP_ADS)) {
		/* If we have a ADS-capable passdb backend, we
		 * must never make up our own SID, it will
		 * already be in the directory */
		DEBUG(0, ("Refusing to store a Domain SID, this should be read from the directory not stored here\n"));
		return false;
	}
#endif

	ret = secrets_store(domain_sid_keystr(domain), sid, sizeof(struct dom_sid ));

	/* Force a re-query, in case we modified our domain */
	if (ret)
		reset_global_sam_sid();
	return ret;
}
bool secrets_fetch_domain_sid(const char *domain, struct dom_sid  *sid)
{
	struct dom_sid  *dyn_sid;
	size_t size = 0;

#if _SAMBA_BUILD_ == 4
	if (strequal(domain, get_global_sam_name()) &&
	    (pdb_capabilities() & PDB_CAP_ADS)) {
		struct pdb_domain_info *domain_info;
		domain_info = pdb_get_domain_info(talloc_tos());
		if (!domain_info) {
			/* If we have a ADS-capable passdb backend, we
			 * must never make up our own SID, it will
			 * already be in the directory */
			DEBUG(0, ("Unable to fetch a Domain SID from the directory!\n"));
			return false;
		}

		*sid = domain_info->sid;
		return true;
	}
#endif

	dyn_sid = (struct dom_sid  *)secrets_fetch(domain_sid_keystr(domain), &size);

	if (dyn_sid == NULL)
		return False;

	if (size != sizeof(struct dom_sid)) {
		SAFE_FREE(dyn_sid);
		return False;
	}

	*sid = *dyn_sid;
	SAFE_FREE(dyn_sid);
	return True;
}
Exemple #6
0
static int net_groupmap_set(struct net_context *c, int argc, const char **argv)
{
	const char *ntgroup = NULL;
	struct group *grp = NULL;
	GROUP_MAP *map;
	bool have_map = false;

	if ((argc < 1) || (argc > 2) || c->display_usage) {
		d_printf("%s\n%s",
			 _("Usage:"),
			 _(" net groupmap set \"NT Group\" "
			   "[\"unix group\"] [-C \"comment\"] [-L] [-D]\n"));
		return -1;
	}

	if ( c->opt_localgroup && c->opt_domaingroup ) {
		d_printf(_("Can only specify -L or -D, not both\n"));
		return -1;
	}

	ntgroup = argv[0];

	if (argc == 2) {
		grp = getgrnam(argv[1]);

		if (grp == NULL) {
			d_fprintf(stderr, _("Could not find unix group %s\n"),
				  argv[1]);
			return -1;
		}
	}

	map = talloc_zero(NULL, GROUP_MAP);
	if (!map) {
		d_printf(_("Out of memory!\n"));
		return -1;
	}

	have_map = pdb_getgrnam(map, ntgroup);

	if (!have_map) {
		struct dom_sid sid;
		have_map = ( (strncmp(ntgroup, "S-", 2) == 0) &&
			     string_to_sid(&sid, ntgroup) &&
			     pdb_getgrsid(map, sid) );
	}

	if (!have_map) {

		/* Ok, add it */

		if (grp == NULL) {
			d_fprintf(stderr,
				  _("Could not find group mapping for %s\n"),
				  ntgroup);
			TALLOC_FREE(map);
			return -1;
		}

		map->gid = grp->gr_gid;

		if (c->opt_rid == 0) {
			if ( pdb_capabilities() & PDB_CAP_STORE_RIDS ) {
				if ( !pdb_new_rid((uint32*)&c->opt_rid) ) {
					d_fprintf( stderr,
					    _("Could not allocate new RID\n"));
					TALLOC_FREE(map);
					return -1;
				}
			} else {
				c->opt_rid = algorithmic_pdb_gid_to_group_rid(map->gid);
			}
		}

		sid_compose(&map->sid, get_global_sam_sid(), c->opt_rid);

		map->sid_name_use = SID_NAME_DOM_GRP;
		map->nt_name = talloc_strdup(map, ntgroup);
		map->comment = talloc_strdup(map, "");
		if (!map->nt_name || !map->comment) {
			d_printf(_("Out of memory!\n"));
			TALLOC_FREE(map);
			return -1;
		}

		if (!NT_STATUS_IS_OK(pdb_add_group_mapping_entry(map))) {
			d_fprintf(stderr,
				  _("Could not add mapping entry for %s\n"),
				  ntgroup);
			TALLOC_FREE(map);
			return -1;
		}
	}

	/* Now we have a mapping entry, update that stuff */

	if ( c->opt_localgroup || c->opt_domaingroup ) {
		if (map->sid_name_use == SID_NAME_WKN_GRP) {
			d_fprintf(stderr,
				  _("Can't change type of the BUILTIN "
				    "group %s\n"),
				  map->nt_name);
			TALLOC_FREE(map);
			return -1;
		}
	}

	if (c->opt_localgroup)
		map->sid_name_use = SID_NAME_ALIAS;

	if (c->opt_domaingroup)
		map->sid_name_use = SID_NAME_DOM_GRP;

	/* The case (opt_domaingroup && opt_localgroup) was tested for above */

	if ((c->opt_comment != NULL) && (strlen(c->opt_comment) > 0)) {
		map->comment = talloc_strdup(map, c->opt_comment);
		if (!map->comment) {
			d_printf(_("Out of memory!\n"));
			TALLOC_FREE(map);
			return -1;
		}
	}

	if ((c->opt_newntname != NULL) && (strlen(c->opt_newntname) > 0)) {
		map->nt_name = talloc_strdup(map, c->opt_newntname);
		if (!map->nt_name) {
			d_printf(_("Out of memory!\n"));
			TALLOC_FREE(map);
			return -1;
		}
	}

	if (grp != NULL)
		map->gid = grp->gr_gid;

	if (!NT_STATUS_IS_OK(pdb_update_group_mapping_entry(map))) {
		d_fprintf(stderr, _("Could not update group mapping for %s\n"),
			  ntgroup);
		TALLOC_FREE(map);
		return -1;
	}

	TALLOC_FREE(map);
	return 0;
}
Exemple #7
0
static int net_groupmap_add(struct net_context *c, int argc, const char **argv)
{
	struct dom_sid sid;
	fstring ntgroup = "";
	fstring unixgrp = "";
	fstring string_sid = "";
	fstring type = "";
	fstring ntcomment = "";
	enum lsa_SidType sid_type = SID_NAME_DOM_GRP;
	uint32 rid = 0;
	gid_t gid;
	int i;
	GROUP_MAP *map;

	const char *name_type;
	const char add_usage_str[] = N_("net groupmap add "
					"{rid=<int>|sid=<string>}"
					" unixgroup=<string> "
					"[type=<domain|local|builtin>] "
					"[ntgroup=<string>] "
					"[comment=<string>]");

	name_type = "domain group";

	if (c->display_usage) {
		d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
		return 0;
	}

	/* get the options */
	for ( i=0; i<argc; i++ ) {
		if ( !strncasecmp_m(argv[i], "rid", strlen("rid")) ) {
			rid = get_int_param(argv[i]);
			if ( rid < DOMAIN_RID_ADMINS ) {
				d_fprintf(stderr,
					  _("RID must be greater than %d\n"),
					  (uint32)DOMAIN_RID_ADMINS-1);
				return -1;
			}
		}
		else if ( !strncasecmp_m(argv[i], "unixgroup", strlen("unixgroup")) ) {
			fstrcpy( unixgrp, get_string_param( argv[i] ) );
			if ( !unixgrp[0] ) {
				d_fprintf(stderr,_( "must supply a name\n"));
				return -1;
			}
		}
		else if ( !strncasecmp_m(argv[i], "ntgroup", strlen("ntgroup")) ) {
			fstrcpy( ntgroup, get_string_param( argv[i] ) );
			if ( !ntgroup[0] ) {
				d_fprintf(stderr, _("must supply a name\n"));
				return -1;
			}
		}
		else if ( !strncasecmp_m(argv[i], "sid", strlen("sid")) ) {
			fstrcpy( string_sid, get_string_param( argv[i] ) );
			if ( !string_sid[0] ) {
				d_fprintf(stderr, _("must supply a SID\n"));
				return -1;
			}
		}
		else if ( !strncasecmp_m(argv[i], "comment", strlen("comment")) ) {
			fstrcpy( ntcomment, get_string_param( argv[i] ) );
			if ( !ntcomment[0] ) {
				d_fprintf(stderr,
					  _("must supply a comment string\n"));
				return -1;
			}
		}
		else if ( !strncasecmp_m(argv[i], "type", strlen("type")) )  {
			fstrcpy( type, get_string_param( argv[i] ) );
			switch ( type[0] ) {
				case 'b':
				case 'B':
					sid_type = SID_NAME_WKN_GRP;
					name_type = "wellknown group";
					break;
				case 'd':
				case 'D':
					sid_type = SID_NAME_DOM_GRP;
					name_type = "domain group";
					break;
				case 'l':
				case 'L':
					sid_type = SID_NAME_ALIAS;
					name_type = "alias (local) group";
					break;
				default:
					d_fprintf(stderr,
						  _("unknown group type %s\n"),
						  type);
					return -1;
			}
		}
		else {
			d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
			return -1;
		}
	}

	if ( !unixgrp[0] ) {
		d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
		return -1;
	}

	if ( (gid = nametogid(unixgrp)) == (gid_t)-1 ) {
		d_fprintf(stderr, _("Can't lookup UNIX group %s\n"), unixgrp);
		return -1;
	}

	map = talloc_zero(NULL, GROUP_MAP);
	if (!map) {
		return -1;
	}
	/* Default is domain group. */
	map->sid_name_use = SID_NAME_DOM_GRP;
	if (pdb_getgrgid(map, gid)) {
		d_printf(_("Unix group %s already mapped to SID %s\n"),
			 unixgrp, sid_string_tos(&map->sid));
		TALLOC_FREE(map);
		return -1;
	}
	TALLOC_FREE(map);

	if ( (rid == 0) && (string_sid[0] == '\0') ) {
		d_printf(_("No rid or sid specified, choosing a RID\n"));
		if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
			if (!pdb_new_rid(&rid)) {
				d_printf(_("Could not get new RID\n"));
			}
		} else {
			rid = algorithmic_pdb_gid_to_group_rid(gid);
		}
		d_printf(_("Got RID %d\n"), rid);
	}

	/* append the rid to our own domain/machine SID if we don't have a full SID */
	if ( !string_sid[0] ) {
		sid_compose(&sid, get_global_sam_sid(), rid);
		sid_to_fstring(string_sid, &sid);
	}

	if (!ntcomment[0]) {
		switch (sid_type) {
		case SID_NAME_WKN_GRP:
			fstrcpy(ntcomment, "Wellknown Unix group");
			break;
		case SID_NAME_DOM_GRP:
			fstrcpy(ntcomment, "Domain Unix group");
			break;
		case SID_NAME_ALIAS:
			fstrcpy(ntcomment, "Local Unix group");
			break;
		default:
			fstrcpy(ntcomment, "Unix group");
			break;
		}
	}

	if (!ntgroup[0] )
		strlcpy(ntgroup, unixgrp, sizeof(ntgroup));

	if (!NT_STATUS_IS_OK(add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment))) {
		d_fprintf(stderr, _("adding entry for group %s failed!\n"), ntgroup);
		return -1;
	}

	d_printf(_("Successfully added group %s to the mapping db as a %s\n"),
		 ntgroup, name_type);
	return 0;
}