static char winbind_separator(void)
{
struct winbindd_response response;
static BOOL got_sep;
static char sep;
if (got_sep)
return sep;
ZERO_STRUCT(response);
/* Send off request */
if (winbindd_request_response(WINBINDD_INFO, NULL, &response) !=
NSS_STATUS_SUCCESS) {
d_printf("could not obtain winbind separator!\n");
return *lp_winbind_separator();
}
sep = response.data.info.winbind_separator;
got_sep = True;
if (!sep) {
d_printf("winbind separator was NULL!\n");
return *lp_winbind_separator();
}
return sep;
}
static int do_global_checks(struct loadparm_context *lp_ctx)
{
int ret = 0;
if (!directory_exist(lp_lockdir(lp_ctx))) {
fprintf(stderr, "ERROR: lock directory %s does not exist\n",
lp_lockdir(lp_ctx));
ret = 1;
}
if (!directory_exist(lp_piddir(lp_ctx))) {
fprintf(stderr, "ERROR: pid directory %s does not exist\n",
lp_piddir(lp_ctx));
ret = 1;
}
if (strlen(lp_winbind_separator(lp_ctx)) != 1) {
fprintf(stderr,"ERROR: the 'winbind separator' parameter must be a single character.\n");
ret = 1;
}
if (*lp_winbind_separator(lp_ctx) == '+') {
fprintf(stderr,"'winbind separator = +' might cause problems with group membership.\n");
}
return ret;
}
static char winbind_separator_int(bool strict)
{
struct wbcInterfaceDetails *details;
static bool got_sep;
static char sep;
if (got_sep)
return sep;
details = init_interface_details();
if (!details) {
d_fprintf(stderr, "could not obtain winbind separator!\n");
if (strict) {
return 0;
}
/* HACK: (this module should not call lp_ funtions) */
return *lp_winbind_separator();
}
sep = details->winbind_separator;
got_sep = true;
if (!sep) {
d_fprintf(stderr, "winbind separator was NULL!\n");
if (strict) {
return 0;
}
/* HACK: (this module should not call lp_ funtions) */
sep = *lp_winbind_separator();
}
return sep;
}
bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
const char *full_name, int flags,
const char **ret_domain, const char **ret_name,
DOM_SID *ret_sid, enum lsa_SidType *ret_type)
{
char *qualified_name;
const char *p;
/* NB. No winbindd_separator here as lookup_name needs \\' */
if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
/* The name is already qualified with a domain. */
if (*lp_winbind_separator() != '\\') {
char *tmp;
/* lookup_name() needs '\\' as a separator */
tmp = talloc_strdup(mem_ctx, full_name);
if (!tmp) {
return false;
}
tmp[p - full_name] = '\\';
full_name = tmp;
}
return lookup_name(mem_ctx, full_name, flags,
ret_domain, ret_name,
ret_sid, ret_type);
}
/* Try with our own SAM name. */
qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
get_global_sam_name(),
full_name );
if (!qualified_name) {
return false;
}
if (lookup_name(mem_ctx, qualified_name, flags,
ret_domain, ret_name,
ret_sid, ret_type)) {
return true;
}
/* Finally try with "Unix Users" or "Unix Group" */
qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
flags & LOOKUP_NAME_GROUP ?
unix_groups_domain_name() :
unix_users_domain_name(),
full_name );
if (!qualified_name) {
return false;
}
return lookup_name(mem_ctx, qualified_name, flags,
ret_domain, ret_name,
ret_sid, ret_type);
}
/* convert a SID to a string, either numeric or username/group */
static void SidToString(fstring str, struct dom_sid *sid, bool _numeric)
{
char **domains = NULL;
char **names = NULL;
enum lsa_SidType *types = NULL;
sid_to_fstring(str, sid);
if (_numeric) return;
/* Ask LSA to convert the sid to a name */
if (!cli_open_policy_hnd() ||
!NT_STATUS_IS_OK(rpccli_lsa_lookup_sids(global_pipe_hnd, talloc_tos(),
&pol, 1, sid, &domains,
&names, &types)) ||
!domains || !domains[0] || !names || !names[0]) {
return;
}
/* Converted OK */
slprintf(str, sizeof(fstring) - 1, "%s%s%s",
domains[0], lp_winbind_separator(),
names[0]);
}
struct sys_userlist *get_users_in_group(const char *gname)
{
struct sys_userlist *list_head = NULL;
struct group *gptr;
/*
* If we're doing this via winbindd, don't do the
* entire group list enumeration as we know this is
* pointless (and slow).
*/
if (strchr(gname,*lp_winbind_separator())) {
if ((gptr = (struct group *)getgrnam(gname)) == NULL)
return NULL;
return add_members_to_userlist(list_head, gptr);
}
#if !defined(BROKEN_GETGRNAM)
if ((gptr = (struct group *)getgrnam(gname)) == NULL)
return NULL;
return add_members_to_userlist(list_head, gptr);
#else
setgrent();
while((gptr = getgrent()) != NULL) {
if (strequal(gname, gptr->gr_name)) {
list_head = add_members_to_userlist(list_head, gptr);
if (list_head == NULL)
return NULL;
}
}
endgrent();
return list_head;
#endif
}
/* convert a SID to a string, either numeric or username/group */
static void SidToString(fstring str, DOM_SID *sid)
{
char **domains = NULL;
char **names = NULL;
uint32 *types = NULL;
sid_to_string(str, sid);
if (numeric) return;
if (strcmp(str, "S-1-1-0") == 0) {
fstrcpy(str, "everyone");
return;
}
/* Ask LSA to convert the sid to a name */
if (!cacls_open_policy_hnd() ||
!NT_STATUS_IS_OK(cli_lsa_lookup_sids(&lsa_cli, lsa_cli.mem_ctx,
&pol, 1, sid, &domains,
&names, &types)) ||
!domains || !domains[0] || !names || !names[0]) {
return;
}
/* Converted OK */
slprintf(str, sizeof(fstring) - 1, "%s%s%s",
domains[0], lp_winbind_separator(),
names[0]);
}
/* convert a SID to a string, either numeric or username/group */
static void SidToString(fstring str, DOM_SID *sid, BOOL _numeric)
{
char **domains = NULL;
char **names = NULL;
uint32 *types = NULL;
sid_to_string(str, sid);
if (_numeric) return;
/* Ask LSA to convert the sid to a name */
if (!cli_open_policy_hnd() ||
!NT_STATUS_IS_OK(cli_lsa_lookup_sids(cli_ipc, cli_ipc->mem_ctx,
&pol, 1, sid, &domains,
&names, &types)) ||
!domains || !domains[0] || !names || !names[0]) {
return;
}
/* Converted OK */
slprintf(str, sizeof(fstring) - 1, "%s%s%s",
domains[0], lp_winbind_separator(),
names[0]);
}
/**
* @brief Get the auth user settings
*/
static int net_getauthuser(struct net_context *c, int argc, const char **argv)
{
char *user, *domain, *password;
/* Lift data from secrets file */
secrets_fetch_ipc_userpass(&user, &domain, &password);
if ((!user || !*user) && (!domain || !*domain ) &&
(!password || !*password)){
SAFE_FREE(user);
SAFE_FREE(domain);
SAFE_FREE(password);
d_printf(_("No authorised user configured\n"));
return 0;
}
/* Pretty print authorised user info */
d_printf("%s%s%s%s%s\n", domain ? domain : "",
domain ? lp_winbind_separator(): "", user,
password ? "%" : "", password ? password : "");
SAFE_FREE(user);
SAFE_FREE(domain);
SAFE_FREE(password);
return 0;
}
int sys_getgrouplist(const char *user, gid_t gid, gid_t *groups, int *grpcnt)
{
char *p;
int retval;
DEBUG(10,("sys_getgrouplist: user [%s]\n", user));
/* see if we should disable winbindd lookups for local users */
if ( (p = strchr(user, *lp_winbind_separator())) == NULL ) {
if ( !winbind_off() )
DEBUG(0,("sys_getgroup_list: Insufficient environment space for %s\n",
WINBINDD_DONT_ENV));
else
DEBUG(10,("sys_getgrouplist(): disabled winbindd for group lookup [user == %s]\n",
user));
}
#ifdef HAVE_GETGROUPLIST
retval = getgrouplist(user, gid, groups, grpcnt);
#else
become_root();
retval = getgrouplist_internals(user, gid, groups, grpcnt);
unbecome_root();
#endif
/* allow winbindd lookups */
winbind_on();
return retval;
}
static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
NTSTATUS nt_status;
uint8 lm_pw[16], nt_pw[16];
nt_lm_owf_gen (opt_password, nt_pw, lm_pw);
nt_status = ntlm_password_check(ntlmssp_state->mem_ctx,
&ntlmssp_state->chal,
&ntlmssp_state->lm_resp,
&ntlmssp_state->nt_resp,
NULL, NULL,
ntlmssp_state->user,
ntlmssp_state->user,
ntlmssp_state->domain,
lm_pw, nt_pw, user_session_key, lm_session_key);
if (NT_STATUS_IS_OK(nt_status)) {
ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state->mem_ctx,
"%s%c%s", ntlmssp_state->domain,
*lp_winbind_separator(),
ntlmssp_state->user);
} else {
DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n",
ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation,
nt_errstr(nt_status)));
ntlmssp_state->auth_context = NULL;
}
return nt_status;
}
int add_home_service(const char *service, const char *username, const char *homedir)
{
int iHomeService;
if (!service || !homedir || homedir[0] == '\0')
return -1;
if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0)
return -1;
/*
* If this is a winbindd provided username, remove
* the domain component before adding the service.
* Log a warning if the "path=" parameter does not
* include any macros.
*/
{
const char *p = strchr(service,*lp_winbind_separator());
/* We only want the 'user' part of the string */
if (p) {
service = p + 1;
}
}
if (!lp_add_home(service, iHomeService, username, homedir)) {
return -1;
}
return lp_servicenumber(service);
}
void split_domain_name(const char *fullname, char *domain, char *name)
{
pstring full_name;
const char *sep;
char *p;
sep = lp_winbind_separator();
*domain = *name = '\0';
if (fullname[0] == sep[0] || fullname[0] == '\\')
fullname++;
pstrcpy(full_name, fullname);
p = strchr_m(full_name+1, '\\');
if (!p) p = strchr_m(full_name+1, sep[0]);
if (p != NULL) {
*p = 0;
fstrcpy(domain, full_name);
fstrcpy(name, p+1);
} else {
fstrcpy(domain, get_global_sam_name());
fstrcpy(name, full_name);
}
DEBUG(10,("split_domain_name:name '%s' split into domain :'%s' and user :'******'\n",
fullname, domain, name));
}
static PyObject *py_sid_to_name(PyObject *self, PyObject *args)
{
struct winbindd_request request;
struct winbindd_response response;
PyObject *result;
char *sid, *name;
if (!PyArg_ParseTuple(args, "s", &sid))
return NULL;
ZERO_STRUCT(request);
ZERO_STRUCT(response);
fstrcpy(request.data.sid, sid);
if (winbindd_request(WINBINDD_LOOKUPSID, &request, &response)
!= NSS_STATUS_SUCCESS) {
PyErr_SetString(winbind_error, "lookup failed");
return NULL;
}
asprintf(&name, "%s%s%s", response.data.name.dom_name,
lp_winbind_separator(), response.data.name.name);
result = PyString_FromString(name);
free(name);
return result;
}
static void wbinfo_get_auth_user(void)
{
char *user, *domain, *password;
/* Lift data from secrets file */
secrets_fetch_ipc_userpass(&user, &domain, &password);
if ((!user || !*user) && (!domain || !*domain ) && (!password || !*password)){
SAFE_FREE(user);
SAFE_FREE(domain);
SAFE_FREE(password);
d_printf("No authorised user configured\n");
return;
}
/* Pretty print authorised user info */
d_printf("%s%s%s%s%s\n", domain ? domain : "", domain ? lp_winbind_separator(): "",
user, password ? "%" : "", password ? password : "");
SAFE_FREE(user);
SAFE_FREE(domain);
SAFE_FREE(password);
}
/**
* Look up the SID for a qualified name.
**/
enum winbindd_result winbindd_lookupname(struct winbindd_cli_state *state)
{
enum SID_NAME_USE type;
fstring sid_str;
char *name_domain, *name_user;
DOM_SID sid;
struct winbindd_domain *domain;
char *p;
/* Ensure null termination */
state->request.data.sid[sizeof(state->request.data.name.dom_name)-1]='\0';
/* Ensure null termination */
state->request.data.sid[sizeof(state->request.data.name.name)-1]='\0';
/* cope with the name being a fully qualified name */
p = strstr(state->request.data.name.name, lp_winbind_separator());
if (p) {
*p = 0;
name_domain = state->request.data.name.name;
name_user = p+1;
} else {
name_domain = state->request.data.name.dom_name;
name_user = state->request.data.name.name;
}
DEBUG(3, ("[%5lu]: lookupname %s%s%s\n", (unsigned long)state->pid,
name_domain, lp_winbind_separator(), name_user));
if ((domain = find_domain_from_name(name_domain)) == NULL) {
DEBUG(0, ("could not find domain entry for domain %s\n",
name_domain));
return WINBINDD_ERROR;
}
/* Lookup name from PDC using lsa_lookup_names() */
if (!winbindd_lookup_sid_by_name(domain, name_user, &sid, &type)) {
return WINBINDD_ERROR;
}
sid_to_string(sid_str, &sid);
fstrcpy(state->response.data.sid.sid, sid_str);
state->response.data.sid.type = type;
return WINBINDD_OK;
}
NTSTATUS wbsrv_samba3_info(struct wbsrv_samba3_call *s3call)
{
s3call->response.result = WINBINDD_OK;
s3call->response.data.info.winbind_separator = *lp_winbind_separator(s3call->wbconn->lp_ctx);
WBSRV_SAMBA3_SET_STRING(s3call->response.data.info.samba_version,
SAMBA_VERSION_STRING);
return NT_STATUS_OK;
}
static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
const char *username, char **found_username,
struct passwd **pwd,
bool *username_was_mapped)
{
char *orig_dom_user = NULL;
char *dom_user = NULL;
char *lower_username = NULL;
char *real_username = NULL;
struct passwd *passwd;
lower_username = talloc_strdup(mem_ctx, username);
if (!lower_username) {
return NT_STATUS_NO_MEMORY;
}
if (!strlower_m( lower_username )) {
return NT_STATUS_INVALID_PARAMETER;
}
orig_dom_user = talloc_asprintf(mem_ctx,
"%s%c%s",
domain,
*lp_winbind_separator(),
lower_username);
if (!orig_dom_user) {
return NT_STATUS_NO_MEMORY;
}
/* Get the passwd struct. Try to create the account if necessary. */
*username_was_mapped = map_username(mem_ctx, orig_dom_user, &dom_user);
if (!dom_user) {
return NT_STATUS_NO_MEMORY;
}
passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true );
if (!passwd) {
DEBUG(3, ("Failed to find authenticated user %s via "
"getpwnam(), denying access.\n", dom_user));
return NT_STATUS_NO_SUCH_USER;
}
if (!real_username) {
return NT_STATUS_NO_MEMORY;
}
*pwd = passwd;
/* This is pointless -- there is no support for differing
unix and windows names. Make sure to always store the
one we actually looked up and succeeded. Have I mentioned
why I hate the 'winbind use default domain' parameter?
--jerry */
*found_username = talloc_strdup( mem_ctx, real_username );
return NT_STATUS_OK;
}
BOOL lookup_name(const char *name, DOM_SID *psid, enum SID_NAME_USE *name_type)
{
extern pstring global_myname;
extern fstring global_myworkgroup;
fstring sid;
char *sep = lp_winbind_separator();
*name_type = SID_NAME_UNKNOWN;
if (!winbind_lookup_name(NULL, name, psid, name_type) || (*name_type != SID_NAME_USER) ) {
BOOL ret = False;
DEBUG(10, ("lookup_name: winbind lookup for %s failed - trying local\n", name));
/* If we are looking up a domain user, make sure it is
for the local machine only */
if (strchr(name, sep[0]) || strchr(name, '\\')) {
fstring domain, username;
split_domain_name(name, domain, username);
switch (lp_server_role()) {
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
if (strequal(domain, global_myworkgroup)) {
fstrcpy(domain, global_myname);
ret = local_lookup_name(domain, username, psid, name_type);
}
/* No break is deliberate here. JRA. */
default:
if (strcasecmp(global_myname, domain) != 0) {
DEBUG(5, ("lookup_name: domain %s is not local\n", domain));
ret = local_lookup_name(global_myname, username, psid, name_type);
}
}
} else {
ret = local_lookup_name(global_myname, name, psid, name_type);
}
if (ret) {
DEBUG(10,
("lookup_name: (local) %s -> SID %s (type %u)\n",
name, sid_to_string(sid,psid),
(unsigned int)*name_type ));
} else {
DEBUG(10,("lookup name: (local) %s failed.\n", name));
}
return ret;
}
DEBUG(10,("lookup_name (winbindd): %s -> SID %s (type %u)\n",
name, sid_to_string(sid, psid),
(unsigned int)*name_type));
return True;
}
enum winbindd_result winbindd_info(struct winbindd_cli_state *state)
{
DEBUG(3, ("[%5lu]: request misc info\n", (unsigned long)state->pid));
state->response.data.info.winbind_separator = *lp_winbind_separator();
fstrcpy(state->response.data.info.samba_version, SAMBA_VERSION_STRING);
return WINBINDD_OK;
}
BOOL cli_session_setup(struct cli_state *cli,
const char *user,
const char *pass, int passlen,
const char *ntpass, int ntpasslen,
const char *workgroup)
{
char *p;
fstring user2;
/* allow for workgroups as part of the username */
fstrcpy(user2, user);
if ((p=strchr(user2,'\\')) || (p=strchr(user2,'/')) || (p=strchr(user2,*lp_winbind_separator())) ) {
*p = 0;
user = p+1;
workgroup = user2;
}
if (cli->protocol < PROTOCOL_LANMAN1)
return True;
/* now work out what sort of session setup we are going to
do. I have split this into separate functions to make the
flow a bit easier to understand (tridge) */
/* if its an older server then we have to use the older request format */
if (cli->protocol < PROTOCOL_NT1) {
return cli_session_setup_lanman2(cli, user, pass, passlen);
}
/* if no user is supplied then we have to do an anonymous connection.
passwords are ignored */
if (!user || !*user) {
return cli_session_setup_guest(cli);
}
/* if the server is share level then send a plaintext null
password at this point. The password is sent in the tree
connect */
if ((cli->sec_mode & 1) == 0) {
return cli_session_setup_plaintext(cli, user, "", workgroup);
}
/* if the server doesn't support encryption then we have to use plaintext. The
second password is ignored */
if ((cli->sec_mode & 2) == 0) {
return cli_session_setup_plaintext(cli, user, pass, workgroup);
}
/* Do a NT1 style session setup */
return cli_session_setup_nt1(cli, user,
pass, passlen, ntpass, ntpasslen,
workgroup);
}
int winbind_getgroups(const char *user, gid_t **list)
{
/*
* Don't do the lookup if the name has no separator _and_ we are not in
* 'winbind use default domain' mode.
*/
if (!(strchr(user, *lp_winbind_separator()) || lp_winbind_use_default_domain()))
return -1;
/* Fetch list of groups */
return wb_getgroups(user, list);
}
static char winbind_separator_int(bool strict)
{
struct winbindd_response response;
static bool got_sep;
static char sep;
if (got_sep)
return sep;
ZERO_STRUCT(response);
/* Send off request */
if (winbindd_request_response(WINBINDD_INFO, NULL, &response) !=
NSS_STATUS_SUCCESS) {
d_fprintf(stderr, "could not obtain winbind separator!\n");
if (strict) {
return 0;
}
/* HACK: (this module should not call lp_ funtions) */
return *lp_winbind_separator(cmdline_lp_ctx);
}
sep = response.data.info.winbind_separator;
got_sep = true;
if (!sep) {
d_fprintf(stderr, "winbind separator was NULL!\n");
if (strict) {
return 0;
}
/* HACK: (this module should not call lp_ funtions) */
sep = *lp_winbind_separator(cmdline_lp_ctx);
}
return sep;
}
bool wb_samba3_split_username(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
const char *domuser,
char **domain, char **user)
{
char *p = strchr(domuser, *lp_winbind_separator(lp_ctx));
if (p == NULL) {
*domain = talloc_strdup(mem_ctx, lp_workgroup(lp_ctx));
} else {
*domain = talloc_strndup(mem_ctx, domuser,
PTR_DIFF(p, domuser));
domuser = p+1;
}
*user = talloc_strdup(mem_ctx, domuser);
return ((*domain != NULL) && (*user != NULL));
}
static int net_usershare_add_usage(struct net_context *c, int argc, const char **argv)
{
char chr = *lp_winbind_separator();
d_printf(_(
"net usershare add [-l|--long] <sharename> <path> [<comment>] [<acl>] [<guest_ok=[y|n]>]\n"
"\tAdds the specified share name for this user.\n"
"\t<sharename> is the new share name.\n"
"\t<path> is the path on the filesystem to export.\n"
"\t<comment> is the optional comment for the new share.\n"
"\t<acl> is an optional share acl in the format \"DOMAIN%cname:X,DOMAIN%cname:X,....\"\n"
"\t<guest_ok=y> if present sets \"guest ok = yes\" on this usershare.\n"
"\t\t\"X\" represents a permission and can be any one of the characters f, r or d\n"
"\t\twhere \"f\" means full control, \"r\" means read-only, \"d\" means deny access.\n"
"\t\tname may be a domain user or group. For local users use the local server name "
"instead of \"DOMAIN\"\n"
"\t\tThe default acl is \"Everyone:r\" which allows everyone read-only access.\n"
"\tAdd -l or --long to print the info on the newly added share.\n"),
chr, chr );
return -1;
}
static PyObject *py_config_dict(void)
{
PyObject *result;
uid_t ulow, uhi;
gid_t glow, ghi;
if (!(result = PyDict_New()))
return NULL;
/* Various string parameters */
PyDict_SetItemString(result, "workgroup",
PyString_FromString(lp_workgroup()));
PyDict_SetItemString(result, "separator",
PyString_FromString(lp_winbind_separator()));
PyDict_SetItemString(result, "template_homedir",
PyString_FromString(lp_template_homedir()));
PyDict_SetItemString(result, "template_shell",
PyString_FromString(lp_template_shell()));
/* idmap uid/gid range */
if (lp_idmap_uid(&ulow, &uhi)) {
PyDict_SetItemString(result, "uid_low", PyInt_FromLong(ulow));
PyDict_SetItemString(result, "uid_high", PyInt_FromLong(uhi));
}
if (lp_idmap_gid(&glow, &ghi)) {
PyDict_SetItemString(result, "gid_low", PyInt_FromLong(glow));
PyDict_SetItemString(result, "gid_high", PyInt_FromLong(ghi));
}
return result;
}
static PyObject *py_name_to_sid(PyObject *self, PyObject *args)
{
struct winbindd_request request;
struct winbindd_response response;
PyObject *result;
char *name, *p;
const char *sep;
if (!PyArg_ParseTuple(args, "s", &name))
return NULL;
ZERO_STRUCT(request);
ZERO_STRUCT(response);
sep = lp_winbind_separator();
if ((p = strchr(name, sep[0]))) {
*p = 0;
fstrcpy(request.data.name.dom_name, name);
fstrcpy(request.data.name.name, p + 1);
} else {
fstrcpy(request.data.name.dom_name, lp_workgroup());
fstrcpy(request.data.name.name, name);
}
if (winbindd_request(WINBINDD_LOOKUPNAME, &request, &response)
!= NSS_STATUS_SUCCESS) {
PyErr_SetString(winbind_error, "lookup failed");
return NULL;
}
result = PyString_FromString(response.data.sid.sid);
return result;
}
int winbind_initgroups(char *user, gid_t gid)
{
gid_t *tgr, *groups = NULL;
int result;
/* Call normal initgroups if we are a local user */
if (!strchr(user, *lp_winbind_separator())) {
return initgroups(user, gid);
}
result = wb_getgroups(user, &groups);
DEBUG(10,("winbind_getgroups: %s: result = %s\n", user,
result == -1 ? "FAIL" : "SUCCESS"));
if (result != -1) {
int ngroups = result, i;
BOOL is_member = False;
/* Check to see if the passed gid is already in the list */
for (i = 0; i < ngroups; i++) {
if (groups[i] == gid) {
is_member = True;
}
}
/* Add group to list if necessary */
if (!is_member) {
tgr = (gid_t *)Realloc(groups, sizeof(gid_t) * ngroups + 1);
if (!tgr) {
errno = ENOMEM;
result = -1;
goto done;
}
else groups = tgr;
groups[ngroups] = gid;
ngroups++;
}
/* Set the groups */
if (sys_setgroups(ngroups, groups) == -1) {
errno = EPERM;
result = -1;
goto done;
}
} else {
/* The call failed. Set errno to something so we don't get
a bogus value from the last failed system call. */
errno = EIO;
}
/* Free response data if necessary */
done:
SAFE_FREE(groups);
return result;
}
struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
char **p_save_username, bool create )
{
struct passwd *pw = NULL;
char *p = NULL;
char *username = NULL;
/* we only save a copy of the username it has been mangled
by winbindd use default domain */
*p_save_username = NULL;
/* don't call map_username() here since it has to be done higher
up the stack so we don't call it multiple times */
username = talloc_strdup(mem_ctx, domuser);
if (!username) {
return NULL;
}
p = strchr_m( username, *lp_winbind_separator() );
/* code for a DOMAIN\user string */
if ( p ) {
pw = Get_Pwnam_alloc( mem_ctx, domuser );
if ( pw ) {
/* make sure we get the case of the username correct */
/* work around 'winbind use default domain = yes' */
if ( lp_winbind_use_default_domain() &&
!strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
char *domain;
/* split the domain and username into 2 strings */
*p = '\0';
domain = username;
*p_save_username = talloc_asprintf(mem_ctx,
"%s%c%s",
domain,
*lp_winbind_separator(),
pw->pw_name);
if (!*p_save_username) {
TALLOC_FREE(pw);
return NULL;
}
} else {
*p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
}
/* whew -- done! */
return pw;
}
/* setup for lookup of just the username */
/* remember that p and username are overlapping memory */
p++;
username = talloc_strdup(mem_ctx, p);
if (!username) {
return NULL;
}
}
/* just lookup a plain username */
pw = Get_Pwnam_alloc(mem_ctx, username);
/* Create local user if requested but only if winbindd
is not running. We need to protect against cases
where winbindd is failing and then prematurely
creating users in /etc/passwd */
if ( !pw && create && !winbind_ping() ) {
/* Don't add a machine account. */
if (username[strlen(username)-1] == '$')
return NULL;
_smb_create_user(NULL, username, NULL);
pw = Get_Pwnam_alloc(mem_ctx, username);
}
/* one last check for a valid passwd struct */
if (pw) {
*p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
}
return pw;
}
static struct dom_usr *get_domain_userlist(TALLOC_CTX *mem_ctx)
{
struct sessionid *session_list = NULL;
char *machine_name, *p, *nm;
const char *sep;
struct dom_usr *users, *tmp;
int i, num_users, num_sessions;
sep = lp_winbind_separator();
if (!sep) {
sep = "\\";
}
num_sessions = list_sessions(mem_ctx, &session_list);
if (num_sessions == 0) {
errno = 0;
return NULL;
}
users = talloc_array(mem_ctx, struct dom_usr, num_sessions);
if (users == NULL) {
TALLOC_FREE(session_list);
return NULL;
}
for (i=num_users=0; i<num_sessions; i++) {
if (!session_list[i].username
|| !session_list[i].remote_machine) {
continue;
}
p = strpbrk(session_list[i].remote_machine, "./");
if (p) {
*p = '\0';
}
machine_name = talloc_asprintf_strupper_m(
users, "%s", session_list[i].remote_machine);
if (machine_name == NULL) {
DEBUG(10, ("talloc_asprintf failed\n"));
continue;
}
if (strcmp(machine_name, lp_netbios_name()) == 0) {
p = session_list[i].username;
nm = strstr(p, sep);
if (nm) {
/*
* "domain+name" format so split domain and
* name components
*/
*nm = '\0';
nm += strlen(sep);
users[num_users].domain =
talloc_asprintf_strupper_m(users,
"%s", p);
users[num_users].name = talloc_strdup(users,
nm);
} else {
/*
* Simple user name so get domain from smb.conf
*/
users[num_users].domain =
talloc_strdup(users, lp_workgroup());
users[num_users].name = talloc_strdup(users,
p);
}
users[num_users].login_time =
session_list[i].connect_start;
num_users++;
}
TALLOC_FREE(machine_name);
}
TALLOC_FREE(session_list);
tmp = talloc_realloc(mem_ctx, users, struct dom_usr, num_users);
if (tmp == NULL) {
return NULL;
}
users = tmp;
/* Sort the user list by time, oldest first */
TYPESAFE_QSORT(users, num_users, dom_user_cmp);
errno = 0;
return users;
}
