/**
* check whether this is an object-sid that should
* be treated by the passdb, e.g. for id-mapping.
*/
bool sid_check_object_is_for_passdb(const struct dom_sid *sid)
{
if (sid_check_is_in_our_sam(sid) && pdb_is_responsible_for_our_sam()) {
return true;
}
if (sid_check_is_in_builtin(sid) && pdb_is_responsible_for_builtin()) {
return true;
}
if (sid_check_is_in_wellknown_domain(sid) &&
pdb_is_responsible_for_wellknown())
{
return true;
}
if (sid_check_is_in_unix_users(sid) &&
pdb_is_responsible_for_unix_users())
{
return true;
}
if (sid_check_is_in_unix_groups(sid) &&
pdb_is_responsible_for_unix_groups())
{
return true;
}
if (pdb_is_responsible_for_everything_else())
{
return true;
}
return false;
}
NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
struct samu *samu,
const char *login_server,
struct netr_SamInfo3 **_info3,
struct extra_auth_info *extra)
{
struct netr_SamInfo3 *info3;
const struct dom_sid *user_sid;
const struct dom_sid *group_sid;
struct dom_sid domain_sid;
struct dom_sid *group_sids;
uint32_t num_group_sids = 0;
const char *tmp;
gid_t *gids;
NTSTATUS status;
bool ok;
user_sid = pdb_get_user_sid(samu);
group_sid = pdb_get_group_sid(samu);
if (!user_sid || !group_sid) {
DEBUG(1, ("Sam account is missing sids!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
if (!info3) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCT(domain_sid);
/* check if this is a "Unix Users" domain user,
* we need to handle it in a special way if that's the case */
if (sid_check_is_in_unix_users(user_sid)) {
/* in info3 you can only set rids for the user and the
* primary group, and the domain sid must be that of
* the sam domain.
*
* Store a completely bogus value here.
* The real SID is stored in the extra sids.
* Other code will know to look there if (-1) is found
*/
info3->base.rid = (uint32_t)(-1);
sid_copy(&extra->user_sid, user_sid);
DEBUG(10, ("Unix User found in struct samu. Rid marked as "
"special and sid (%s) saved as extra sid\n",
sid_string_dbg(user_sid)));
} else {
sid_copy(&domain_sid, user_sid);
sid_split_rid(&domain_sid, &info3->base.rid);
}
if (is_null_sid(&domain_sid)) {
sid_copy(&domain_sid, get_global_sam_sid());
}
/* check if this is a "Unix Groups" domain group,
* if so we need special handling */
if (sid_check_is_in_unix_groups(group_sid)) {
/* in info3 you can only set rids for the user and the
* primary group, and the domain sid must be that of
* the sam domain.
*
* Store a completely bogus value here.
* The real SID is stored in the extra sids.
* Other code will know to look there if (-1) is found
*/
info3->base.primary_gid = (uint32_t)(-1);
sid_copy(&extra->pgid_sid, group_sid);
DEBUG(10, ("Unix Group found in struct samu. Rid marked as "
"special and sid (%s) saved as extra sid\n",
sid_string_dbg(group_sid)));
} else {
ok = sid_peek_check_rid(&domain_sid, group_sid,
&info3->base.primary_gid);
if (!ok) {
DEBUG(1, ("The primary group domain sid(%s) does not "
"match the domain sid(%s) for %s(%s)\n",
sid_string_dbg(group_sid),
sid_string_dbg(&domain_sid),
pdb_get_username(samu),
sid_string_dbg(user_sid)));
TALLOC_FREE(info3);
return NT_STATUS_UNSUCCESSFUL;
}
}
unix_to_nt_time(&info3->base.last_logon, pdb_get_logon_time(samu));
unix_to_nt_time(&info3->base.last_logoff, get_time_t_max());
unix_to_nt_time(&info3->base.acct_expiry, get_time_t_max());
unix_to_nt_time(&info3->base.last_password_change,
pdb_get_pass_last_set_time(samu));
unix_to_nt_time(&info3->base.allow_password_change,
pdb_get_pass_can_change_time(samu));
unix_to_nt_time(&info3->base.force_password_change,
pdb_get_pass_must_change_time(samu));
tmp = pdb_get_username(samu);
if (tmp) {
info3->base.account_name.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.account_name.string);
}
tmp = pdb_get_fullname(samu);
if (tmp) {
info3->base.full_name.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.full_name.string);
}
tmp = pdb_get_logon_script(samu);
if (tmp) {
info3->base.logon_script.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.logon_script.string);
}
tmp = pdb_get_profile_path(samu);
if (tmp) {
info3->base.profile_path.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.profile_path.string);
}
tmp = pdb_get_homedir(samu);
if (tmp) {
info3->base.home_directory.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.home_directory.string);
}
tmp = pdb_get_dir_drive(samu);
if (tmp) {
info3->base.home_drive.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.home_drive.string);
}
info3->base.logon_count = pdb_get_logon_count(samu);
info3->base.bad_password_count = pdb_get_bad_password_count(samu);
info3->base.domain.string = talloc_strdup(info3,
pdb_get_domain(samu));
RET_NOMEM(info3->base.domain.string);
info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
RET_NOMEM(info3->base.domain_sid);
status = pdb_enum_group_memberships(mem_ctx, samu,
&group_sids, &gids,
&num_group_sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to get groups from sam account.\n"));
TALLOC_FREE(info3);
return status;
}
if (num_group_sids) {
status = group_sids_to_info3(info3, group_sids, num_group_sids);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(info3);
return status;
}
}
/* We don't need sids and gids after the conversion */
TALLOC_FREE(group_sids);
TALLOC_FREE(gids);
num_group_sids = 0;
/* FIXME: should we add other flags ? */
info3->base.user_flags = NETLOGON_EXTRA_SIDS;
if (login_server) {
info3->base.logon_server.string = talloc_strdup(info3, login_server);
RET_NOMEM(info3->base.logon_server.string);
}
info3->base.acct_flags = pdb_get_acct_ctrl(samu);
*_info3 = info3;
return NT_STATUS_OK;
}
/* convert a domain SID to a user or group name */
static NTSTATUS sam_sid_to_name(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
char **pdomain_name,
char **pname,
enum lsa_SidType *ptype)
{
struct rpc_pipe_client *lsa_pipe;
struct policy_handle lsa_policy;
char *domain_name = NULL;
char *name = NULL;
enum lsa_SidType type;
TALLOC_CTX *tmp_ctx;
NTSTATUS status, result;
struct dcerpc_binding_handle *b = NULL;
DEBUG(3,("sam_sid_to_name\n"));
ZERO_STRUCT(lsa_policy);
/* Paranoia check */
if (!sid_check_is_in_builtin(sid) &&
!sid_check_is_in_our_domain(sid) &&
!sid_check_is_in_unix_users(sid) &&
!sid_check_is_unix_users(sid) &&
!sid_check_is_in_unix_groups(sid) &&
!sid_check_is_unix_groups(sid) &&
!sid_check_is_in_wellknown_domain(sid)) {
DEBUG(0, ("sam_sid_to_name: possible deadlock - trying to "
"lookup SID %s\n", sid_string_dbg(sid)));
return NT_STATUS_NONE_MAPPED;
}
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
status = open_internal_lsa_conn(tmp_ctx, &lsa_pipe, &lsa_policy);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
b = lsa_pipe->binding_handle;
status = rpc_sid_to_name(tmp_ctx,
lsa_pipe,
&lsa_policy,
domain,
sid,
&domain_name,
&name,
&type);
if (ptype) {
*ptype = type;
}
if (pname) {
*pname = talloc_move(mem_ctx, &name);
}
if (pdomain_name) {
*pdomain_name = talloc_move(mem_ctx, &domain_name);
}
done:
if (b && is_valid_policy_hnd(&lsa_policy)) {
dcerpc_lsa_Close(b, mem_ctx, &lsa_policy, &result);
}
TALLOC_FREE(tmp_ctx);
return status;
}
NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
const char *unix_username,
const struct passwd *pwd,
struct netr_SamInfo3 **pinfo3,
struct extra_auth_info *extra)
{
struct netr_SamInfo3 *info3;
NTSTATUS status;
TALLOC_CTX *tmp_ctx;
const char *domain_name = NULL;
const char *user_name = NULL;
struct dom_sid domain_sid;
struct dom_sid user_sid;
struct dom_sid group_sid;
enum lsa_SidType type;
uint32_t num_sids = 0;
struct dom_sid *user_sids = NULL;
bool is_null;
bool ok;
tmp_ctx = talloc_stackframe();
ok = lookup_name_smbconf(tmp_ctx,
unix_username,
LOOKUP_NAME_ALL,
&domain_name,
&user_name,
&user_sid,
&type);
if (!ok) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
if (type != SID_NAME_USER) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
ok = winbind_lookup_usersids(tmp_ctx,
&user_sid,
&num_sids,
&user_sids);
/* Check if winbind is running */
if (ok) {
/*
* Winbind is running and the first element of the user_sids
* is the primary group.
*/
if (num_sids > 0) {
group_sid = user_sids[0];
}
} else {
/*
* Winbind is not running, try to create the group_sid from the
* passwd group id.
*/
/*
* This can lead to a primary group of S-1-22-2-XX which
* will be rejected by other Samba code.
*/
gid_to_sid(&group_sid, pwd->pw_gid);
}
/*
* If we are a unix group, or a wellknown/builtin alias,
* set the group_sid to the
* 'Domain Users' RID of 513 which will always resolve to a
* name.
*/
if (sid_check_is_in_unix_groups(&group_sid) ||
sid_check_is_in_builtin(&group_sid) ||
sid_check_is_in_wellknown_domain(&group_sid)) {
if (sid_check_is_in_unix_users(&user_sid)) {
sid_compose(&group_sid,
get_global_sam_sid(),
DOMAIN_RID_USERS);
} else {
sid_copy(&domain_sid, &user_sid);
sid_split_rid(&domain_sid, NULL);
sid_compose(&group_sid,
&domain_sid,
DOMAIN_RID_USERS);
}
}
/* Make sure we have a valid group sid */
is_null = is_null_sid(&group_sid);
if (is_null) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
/* Construct a netr_SamInfo3 from the information we have */
info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3);
if (!info3) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
info3->base.account_name.string = talloc_strdup(info3, unix_username);
if (info3->base.account_name.string == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
ZERO_STRUCT(domain_sid);
status = SamInfo3_handle_sids(unix_username,
&user_sid,
&group_sid,
info3,
&domain_sid,
extra);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
if (info3->base.domain_sid == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
ok = sid_peek_check_rid(&domain_sid, &group_sid,
&info3->base.primary_gid);
if (!ok) {
DEBUG(1, ("The primary group domain sid(%s) does not "
"match the domain sid(%s) for %s(%s)\n",
sid_string_dbg(&group_sid),
sid_string_dbg(&domain_sid),
unix_username,
sid_string_dbg(&user_sid)));
status = NT_STATUS_INVALID_SID;
goto done;
}
info3->base.acct_flags = ACB_NORMAL;
if (num_sids) {
status = group_sids_to_info3(info3, user_sids, num_sids);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
*pinfo3 = talloc_steal(mem_ctx, info3);
status = NT_STATUS_OK;
done:
talloc_free(tmp_ctx);
return status;
}
static NTSTATUS SamInfo3_handle_sids(const char *username,
const struct dom_sid *user_sid,
const struct dom_sid *group_sid,
struct netr_SamInfo3 *info3,
struct dom_sid *domain_sid,
struct extra_auth_info *extra)
{
if (sid_check_is_in_unix_users(user_sid)) {
/* in info3 you can only set rids for the user and the
* primary group, and the domain sid must be that of
* the sam domain.
*
* Store a completely bogus value here.
* The real SID is stored in the extra sids.
* Other code will know to look there if (-1) is found
*/
info3->base.rid = (uint32_t)(-1);
sid_copy(&extra->user_sid, user_sid);
DEBUG(10, ("Unix User found. Rid marked as "
"special and sid (%s) saved as extra sid\n",
sid_string_dbg(user_sid)));
} else {
sid_copy(domain_sid, user_sid);
sid_split_rid(domain_sid, &info3->base.rid);
}
if (is_null_sid(domain_sid)) {
sid_copy(domain_sid, get_global_sam_sid());
}
/* check if this is a "Unix Groups" domain group,
* if so we need special handling */
if (sid_check_is_in_unix_groups(group_sid)) {
/* in info3 you can only set rids for the user and the
* primary group, and the domain sid must be that of
* the sam domain.
*
* Store a completely bogus value here.
* The real SID is stored in the extra sids.
* Other code will know to look there if (-1) is found
*/
info3->base.primary_gid = (uint32_t)(-1);
sid_copy(&extra->pgid_sid, group_sid);
DEBUG(10, ("Unix Group found. Rid marked as "
"special and sid (%s) saved as extra sid\n",
sid_string_dbg(group_sid)));
} else {
bool ok = sid_peek_check_rid(domain_sid, group_sid,
&info3->base.primary_gid);
if (!ok) {
DEBUG(1, ("The primary group domain sid(%s) does not "
"match the domain sid(%s) for %s(%s)\n",
sid_string_dbg(group_sid),
sid_string_dbg(domain_sid),
username,
sid_string_dbg(user_sid)));
return NT_STATUS_INVALID_SID;
}
}
return NT_STATUS_OK;
}
NTSTATUS idmap_cache_set(struct idmap_cache_ctx *cache, const struct id_map *id)
{
NTSTATUS ret;
time_t timeout = time(NULL) + lp_idmap_cache_time();
TDB_DATA keybuf, databuf;
char *sidkey;
char *idkey;
char *valstr;
/* Don't cache lookups in the S-1-22-{1,2} domain */
if ( (id->xid.type == ID_TYPE_UID) &&
sid_check_is_in_unix_users(id->sid) )
{
return NT_STATUS_OK;
}
if ( (id->xid.type == ID_TYPE_GID) &&
sid_check_is_in_unix_groups(id->sid) )
{
return NT_STATUS_OK;
}
ret = idmap_cache_build_sidkey(cache, &sidkey, id);
if (!NT_STATUS_IS_OK(ret)) return ret;
/* use sidkey as the local memory ctx */
ret = idmap_cache_build_idkey(sidkey, &idkey, id);
if (!NT_STATUS_IS_OK(ret)) {
goto done;
}
/* save SID -> ID */
/* use sidkey as the local memory ctx */
valstr = talloc_asprintf(sidkey, IDMAP_CACHE_DATA_FMT, (int)timeout, idkey);
if (!valstr) {
DEBUG(0, ("Out of memory!\n"));
ret = NT_STATUS_NO_MEMORY;
goto done;
}
keybuf.dptr = sidkey;
keybuf.dsize = strlen(sidkey)+1;
databuf.dptr = valstr;
databuf.dsize = strlen(valstr)+1;
DEBUG(10, ("Adding cache entry with key = %s; value = %s and timeout ="
" %s (%d seconds %s)\n", keybuf.dptr, valstr , ctime(&timeout),
(int)(timeout - time(NULL)),
timeout > time(NULL) ? "ahead" : "in the past"));
if (tdb_store(cache->tdb, keybuf, databuf, TDB_REPLACE) != 0) {
DEBUG(3, ("Failed to store cache entry!\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
/* save ID -> SID */
/* use sidkey as the local memory ctx */
valstr = talloc_asprintf(sidkey, IDMAP_CACHE_DATA_FMT, (int)timeout, sidkey);
if (!valstr) {
DEBUG(0, ("Out of memory!\n"));
ret = NT_STATUS_NO_MEMORY;
goto done;
}
keybuf.dptr = idkey;
keybuf.dsize = strlen(idkey)+1;
databuf.dptr = valstr;
databuf.dsize = strlen(valstr)+1;
DEBUG(10, ("Adding cache entry with key = %s; value = %s and timeout ="
" %s (%d seconds %s)\n", keybuf.dptr, valstr, ctime(&timeout),
(int)(timeout - time(NULL)),
timeout > time(NULL) ? "ahead" : "in the past"));
if (tdb_store(cache->tdb, keybuf, databuf, TDB_REPLACE) != 0) {
DEBUG(3, ("Failed to store cache entry!\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
ret = NT_STATUS_OK;
done:
talloc_free(sidkey);
return ret;
}
