/******************************************************************* gets a domain user's groups from their already-calculated NT_USER_TOKEN ********************************************************************/ NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx, const DOM_SID *domain_sid, const NT_USER_TOKEN *nt_token, int *numgroups, DOM_GID **pgids) { DOM_GID *gids; int i; gids = (DOM_GID *)talloc(mem_ctx, sizeof(*gids) * nt_token->num_sids); if (!gids) { return NT_STATUS_NO_MEMORY; } *numgroups=0; for (i=PRIMARY_GROUP_SID_INDEX; i < nt_token->num_sids; i++) { if (sid_compare_domain(domain_sid, &nt_token->user_sids[i])==0) { sid_peek_rid(&nt_token->user_sids[i], &(gids[*numgroups].g_rid)); gids[*numgroups].attr=7; (*numgroups)++; } } *pgids = gids; return NT_STATUS_OK; }
bool sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 *rid) { if (!exp_dom_sid || !sid || !rid) return False; if (sid->num_auths != (exp_dom_sid->num_auths+1)) { return False; } if (sid_compare_domain(exp_dom_sid, sid)!=0){ *rid=(-1); return False; } return sid_peek_rid(sid, rid); }
/**************************************************************************** These need to be redirected through pdb_interface.c ****************************************************************************/ bool pdb_get_dom_grp_info(const DOM_SID *sid, struct acct_info *info) { GROUP_MAP map; bool res; become_root(); res = get_domain_group_from_sid(*sid, &map); unbecome_root(); if (!res) return False; fstrcpy(info->acct_name, map.nt_name); fstrcpy(info->acct_desc, map.comment); sid_peek_rid(sid, &info->rid); return True; }
NTSTATUS pdb_default_get_aliasinfo(struct pdb_methods *methods, const DOM_SID *sid, struct acct_info *info) { GROUP_MAP map; if (!pdb_getgrsid(&map, *sid)) return NT_STATUS_NO_SUCH_ALIAS; if ((map.sid_name_use != SID_NAME_ALIAS) && (map.sid_name_use != SID_NAME_WKN_GRP)) { DEBUG(2, ("%s is a %s, expected an alias\n", sid_string_dbg(sid), sid_type_lookup(map.sid_name_use))); return NT_STATUS_NO_SUCH_ALIAS; } fstrcpy(info->acct_name, map.nt_name); fstrcpy(info->acct_desc, map.comment); sid_peek_rid(&map.sid, &info->rid); return NT_STATUS_OK; }
/******************************************************************* gets a domain user's groups ********************************************************************/ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, uint32 **prids, DOM_SID *q_sid) { SAM_ACCOUNT *sam_pass=NULL; int i, cur_rid=0; gid_t gid; gid_t *groups = NULL; int num_groups; GROUP_MAP map; DOM_SID tmp_sid; fstring user_name; fstring str_domsid, str_qsid; uint32 rid,grid; uint32 *rids=NULL, *new_rids=NULL; gid_t winbind_gid_low, winbind_gid_high; BOOL ret; BOOL winbind_groups_exist; /* * this code is far from perfect. * first it enumerates the full /etc/group and that can be slow. * second, it works only with users' SIDs * whereas the day we support nested groups, it will have to * support both users's SIDs and domain groups' SIDs * * having our own ldap backend would be so much faster ! * we're far from that, but hope one day ;-) JFM. */ *prids=NULL; *numgroups=0; winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high); DEBUG(10,("get_alias_user_groups: looking if SID %s is a member of groups in the SID domain %s\n", sid_to_string(str_qsid, q_sid), sid_to_string(str_domsid, sid))); pdb_init_sam(&sam_pass); become_root(); ret = pdb_getsampwsid(sam_pass, q_sid); unbecome_root(); if (ret == False) { pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } fstrcpy(user_name, pdb_get_username(sam_pass)); grid=pdb_get_group_rid(sam_pass); if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sam_pass), &gid))) { /* this should never happen */ DEBUG(2,("get_alias_user_groups: sid_to_gid failed!\n")); pdb_free_sam(&sam_pass); return NT_STATUS_UNSUCCESSFUL; } become_root(); /* on some systems this must run as root */ num_groups = getgroups_user(user_name, &groups); unbecome_root(); if (num_groups == -1) { /* this should never happen */ DEBUG(2,("get_alias_user_groups: getgroups_user failed\n")); pdb_free_sam(&sam_pass); return NT_STATUS_UNSUCCESSFUL; } for (i=0;i<num_groups;i++) { if (!get_group_from_gid(groups[i], &map)) { DEBUG(10,("get_alias_user_groups: gid %d. not found\n", (int)groups[i])); continue; } /* if it's not an alias, continue */ if (map.sid_name_use != SID_NAME_ALIAS) { DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name)); continue; } sid_copy(&tmp_sid, &map.sid); sid_split_rid(&tmp_sid, &rid); /* if the sid is not in the correct domain, continue */ if (!sid_equal(&tmp_sid, sid)) { DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name)); continue; } /* Don't return winbind groups as they are not local! */ if (winbind_groups_exist && (groups[i] >= winbind_gid_low) && (groups[i] <= winbind_gid_high)) { DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name)); continue; } /* Don't return user private groups... */ if (Get_Pwnam(map.nt_name) != 0) { DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name)); continue; } new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1)); if (new_rids==NULL) { DEBUG(10,("get_alias_user_groups: could not realloc memory\n")); pdb_free_sam(&sam_pass); free(groups); return NT_STATUS_NO_MEMORY; } rids=new_rids; sid_peek_rid(&map.sid, &(rids[cur_rid])); cur_rid++; break; } if(num_groups) free(groups); /* now check for the user's gid (the primary group rid) */ for (i=0; i<cur_rid && grid!=rids[i]; i++) ; /* the user's gid is already there */ if (i!=cur_rid) { DEBUG(10,("get_alias_user_groups: user is already in the list. good.\n")); goto done; } DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)gid, user_name)); if(!get_group_from_gid(gid, &map)) { DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your " "/etc/passwd and /etc/group files\n", user_name)); goto done; } /* the primary group isn't an alias */ if (map.sid_name_use!=SID_NAME_ALIAS) { DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name)); goto done; } sid_copy(&tmp_sid, &map.sid); sid_split_rid(&tmp_sid, &rid); /* if the sid is not in the correct domain, continue */ if (!sid_equal(&tmp_sid, sid)) { DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name)); goto done; } /* Don't return winbind groups as they are not local! */ if (winbind_groups_exist && (gid >= winbind_gid_low) && (gid <= winbind_gid_high)) { DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name )); goto done; } /* Don't return user private groups... */ if (Get_Pwnam(map.nt_name) != 0) { DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name )); goto done; } new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1)); if (new_rids==NULL) { DEBUG(10,("get_alias_user_groups: could not realloc memory\n")); pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; } rids=new_rids; sid_peek_rid(&map.sid, &(rids[cur_rid])); cur_rid++; done: *prids=rids; *numgroups=cur_rid; pdb_free_sam(&sam_pass); return NT_STATUS_OK; }
/******************************************************************* gets a domain user's groups ********************************************************************/ BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SAM_ACCOUNT *sam_pass) { GROUP_MAP *map=NULL; int i, num, num_entries, cur_gid=0; struct group *grp; DOM_GID *gids; fstring user_name; uint32 grid; uint32 tmp_rid; BOOL ret; *numgroups= 0; fstrcpy(user_name, pdb_get_username(sam_pass)); grid=pdb_get_group_rid(sam_pass); DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name)); /* we must wrap this is become/unbecome root for ldap backends */ become_root(); /* first get the list of the domain groups */ ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED); unbecome_root(); /* end wrapper for group enumeration */ if ( !ret ) return False; DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries)); /* * alloc memory. In the worse case, we alloc memory for nothing. * but I prefer to alloc for nothing * than reallocing everytime. */ gids = (DOM_GID *)talloc(ctx, sizeof(DOM_GID) * num_entries); /* for each group, check if the user is a member of. Only include groups from this domain */ for(i=0; i<num_entries; i++) { if ( !sid_check_is_in_our_domain(&map[i].sid) ) { DEBUG(10,("get_domain_user_groups: skipping check of %s since it is not in our domain\n", map[i].nt_name)); continue; } if ((grp=sys_getgrgid(map[i].gid)) == NULL) { /* very weird !!! */ DEBUG(5,("get_domain_user_groups: gid %d doesn't exist anymore !\n", (int)map[i].gid)); continue; } for(num=0; grp->gr_mem[num]!=NULL; num++) { if(strcmp(grp->gr_mem[num], user_name)==0) { /* we found the user, add the group to the list */ sid_peek_rid(&map[i].sid, &(gids[cur_gid].g_rid)); gids[cur_gid].attr=7; DEBUG(10,("get_domain_user_groups: user found in group %s\n", map[i].nt_name)); cur_gid++; break; } } } /* we have checked the groups */ /* we must now check the gid of the user or the primary group rid, that's the same */ for (i=0; i<cur_gid && grid!=gids[i].g_rid; i++) ; /* the user's gid is already there */ if (i!=cur_gid) { /* * the primary group of the user but be the first one in the list * don't ask ! JFM. */ gids[i].g_rid=gids[0].g_rid; gids[0].g_rid=grid; goto done; } for(i=0; i<num_entries; i++) { sid_peek_rid(&map[i].sid, &tmp_rid); if (tmp_rid==grid) { /* * the primary group of the user but be the first one in the list * don't ask ! JFM. */ gids[cur_gid].g_rid=gids[0].g_rid; gids[0].g_rid=tmp_rid; gids[cur_gid].attr=7; DEBUG(10,("get_domain_user_groups: primary gid of user found in group %s\n", map[i].nt_name)); cur_gid++; goto done; /* leave the loop early */ } } DEBUG(0,("get_domain_user_groups: primary gid of user [%s] is not a Domain group !\n", user_name)); DEBUGADD(0,("get_domain_user_groups: You should fix it, NT doesn't like that\n")); done: *pgids=gids; *numgroups=cur_gid; SAFE_FREE(map); return True; }
/* find the members of a group, given a group rid and domain */ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, const struct dom_sid *group_sid, enum lsa_SidType type, uint32_t *num_names, struct dom_sid **sid_mem, char ***names, uint32_t **name_types) { ADS_STATUS rc; ADS_STRUCT *ads = NULL; char *ldap_exp; NTSTATUS status = NT_STATUS_UNSUCCESSFUL; char *sidbinstr; char **members = NULL; int i; size_t num_members = 0; ads_control args; struct dom_sid *sid_mem_nocache = NULL; char **names_nocache = NULL; enum lsa_SidType *name_types_nocache = NULL; char **domains_nocache = NULL; /* only needed for rpccli_lsa_lookup_sids */ uint32_t num_nocache = 0; TALLOC_CTX *tmp_ctx = NULL; uint32_t rid; DEBUG(10,("ads: lookup_groupmem %s sid=%s\n", domain->name, sid_string_dbg(group_sid))); *num_names = 0; tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { DEBUG(1, ("ads: lookup_groupmem: talloc failed\n")); status = NT_STATUS_NO_MEMORY; goto done; } if (!sid_peek_rid(group_sid, &rid)) { DEBUG(1, ("%s: sid_peek_rid failed\n", __func__)); status = NT_STATUS_INVALID_PARAMETER; goto done; } if ( !winbindd_can_contact_domain( domain ) ) { DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n", domain->name)); return NT_STATUS_OK; } ads = ads_cached_connection(domain); if (!ads) { domain->last_status = NT_STATUS_SERVER_DISABLED; goto done; } if ((sidbinstr = ldap_encode_ndr_dom_sid(talloc_tos(), group_sid)) == NULL) { status = NT_STATUS_NO_MEMORY; goto done; } /* search for all members of the group */ ldap_exp = talloc_asprintf(tmp_ctx, "(objectSid=%s)", sidbinstr); TALLOC_FREE(sidbinstr); if (ldap_exp == NULL) { DEBUG(1, ("ads: lookup_groupmem: talloc_asprintf for ldap_exp failed!\n")); status = NT_STATUS_NO_MEMORY; goto done; } args.control = ADS_EXTENDED_DN_OID; args.val = ADS_EXTENDED_DN_HEX_STRING; args.critical = True; rc = ads_ranged_search(ads, tmp_ctx, LDAP_SCOPE_SUBTREE, ads->config.bind_path, ldap_exp, &args, "member", &members, &num_members); if (!ADS_ERR_OK(rc)) { DEBUG(0,("ads_ranged_search failed with: %s\n", ads_errstr(rc))); status = NT_STATUS_UNSUCCESSFUL; goto done; } DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); status = add_primary_group_members(ads, mem_ctx, rid, &members, &num_members); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("%s: add_primary_group_members failed: %s\n", __func__, nt_errstr(status))); goto done; } DEBUG(10, ("%s: Got %d sids after adding primary group members\n", __func__, (int)num_members)); /* Now that we have a list of sids, we need to get the * lists of names and name_types belonging to these sids. * even though conceptually not quite clean, we use the * RPC call lsa_lookup_sids for this since it can handle a * list of sids. ldap calls can just resolve one sid at a time. * * At this stage, the sids are still hidden in the exetended dn * member output format. We actually do a little better than * stated above: In extracting the sids from the member strings, * we try to resolve as many sids as possible from the * cache. Only the rest is passed to the lsa_lookup_sids call. */ if (num_members) { (*sid_mem) = talloc_zero_array(mem_ctx, struct dom_sid, num_members); (*names) = talloc_zero_array(mem_ctx, char *, num_members); (*name_types) = talloc_zero_array(mem_ctx, uint32_t, num_members); (sid_mem_nocache) = talloc_zero_array(tmp_ctx, struct dom_sid, num_members); if ((members == NULL) || (*sid_mem == NULL) || (*names == NULL) || (*name_types == NULL) || (sid_mem_nocache == NULL)) { DEBUG(1, ("ads: lookup_groupmem: talloc failed\n")); status = NT_STATUS_NO_MEMORY; goto done; } } else {
bool get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map) { struct group *grp; bool ret; if(!init_group_mapping()) { DEBUG(0,("failed to initialize group mapping\n")); return(False); } DEBUG(10, ("get_domain_group_from_sid\n")); /* if the group is NOT in the database, it CAN NOT be a domain group */ become_root(); ret = pdb_getgrsid(map, sid); unbecome_root(); /* special case check for rid 513 */ if ( !ret ) { uint32 rid; sid_peek_rid( &sid, &rid ); if ( rid == DOMAIN_GROUP_RID_USERS ) { fstrcpy( map->nt_name, "None" ); fstrcpy( map->comment, "Ordinary Users" ); sid_copy( &map->sid, &sid ); map->sid_name_use = SID_NAME_DOM_GRP; map->gid = (gid_t)-1; return True; } return False; } DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n")); /* if it's not a domain group, continue */ if (map->sid_name_use!=SID_NAME_DOM_GRP) { return False; } DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n")); if (map->gid==-1) { return False; } DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%lu\n",(unsigned long)map->gid)); grp = getgrgid(map->gid); if ( !grp ) { DEBUG(10, ("get_domain_group_from_sid: gid DOESN'T exist in UNIX security\n")); return False; } DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n")); return True; }