static bool is_in_internal_domain(const struct dom_sid *sid)
{
if (sid == NULL)
return False;
return (sid_check_is_in_our_sam(sid) || sid_check_is_in_builtin(sid));
}
/*
convert a domain SID to a user or group name
*/
static NTSTATUS sid_to_name(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *sid,
char **domain_name,
char **name,
enum lsa_SidType *type)
{
const char *dom, *nam;
DEBUG(10, ("Converting SID %s\n", sid_string_static(sid)));
/* Paranoia check */
if (!sid_check_is_in_builtin(sid) &&
!sid_check_is_in_our_domain(sid)) {
DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with "
"passdb backend\n", sid_string_static(sid)));
return NT_STATUS_NONE_MAPPED;
}
if (!lookup_sid(mem_ctx, sid, &dom, &nam, type)) {
return NT_STATUS_NONE_MAPPED;
}
*domain_name = talloc_strdup(mem_ctx, dom);
*name = talloc_strdup(mem_ctx, nam);
return NT_STATUS_OK;
}
/**
* check whether this is an object-sid that should
* be treated by the passdb, e.g. for id-mapping.
*/
bool sid_check_object_is_for_passdb(const struct dom_sid *sid)
{
if (sid_check_is_in_our_sam(sid) && pdb_is_responsible_for_our_sam()) {
return true;
}
if (sid_check_is_in_builtin(sid) && pdb_is_responsible_for_builtin()) {
return true;
}
if (sid_check_is_in_wellknown_domain(sid) &&
pdb_is_responsible_for_wellknown())
{
return true;
}
if (sid_check_is_in_unix_users(sid) &&
pdb_is_responsible_for_unix_users())
{
return true;
}
if (sid_check_is_in_unix_groups(sid) &&
pdb_is_responsible_for_unix_groups())
{
return true;
}
if (pdb_is_responsible_for_everything_else())
{
return true;
}
return false;
}
/* Lookup groups a user is a member of. */
static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
uint32 *p_num_groups, struct dom_sid **user_sids)
{
ADS_STRUCT *ads = NULL;
const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
ADS_STATUS rc;
int count;
LDAPMessage *msg = NULL;
char *user_dn = NULL;
struct dom_sid *sids;
int i;
struct dom_sid primary_group;
uint32 primary_group_rid;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
uint32_t num_groups = 0;
DEBUG(3,("ads: lookup_usergroups\n"));
*p_num_groups = 0;
status = lookup_usergroups_cached(domain, mem_ctx, sid,
p_num_groups, user_sids);
if (NT_STATUS_IS_OK(status)) {
return NT_STATUS_OK;
}
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
domain->name));
/* Tell the cache manager not to remember this one */
return NT_STATUS_SYNCHRONIZATION_REQUIRED;
}
ads = ads_cached_connection(domain);
if (!ads) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
status = NT_STATUS_SERVER_DISABLED;
goto done;
}
rc = ads_search_retry_sid(ads, &msg, sid, attrs);
if (!ADS_ERR_OK(rc)) {
status = ads_ntstatus(rc);
DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
"%s\n", sid_string_dbg(sid), ads_errstr(rc)));
goto done;
}
count = ads_count_replies(ads, msg);
if (count != 1) {
status = NT_STATUS_UNSUCCESSFUL;
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
"invalid number of results (count=%d)\n",
sid_string_dbg(sid), count));
goto done;
}
if (!msg) {
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
sid_string_dbg(sid)));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
}
user_dn = ads_get_dn(ads, mem_ctx, msg);
if (user_dn == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
DEBUG(1,("%s: No primary group for sid=%s !?\n",
domain->name, sid_string_dbg(sid)));
goto done;
}
sid_compose(&primary_group, &domain->sid, primary_group_rid);
count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
/* there must always be at least one group in the token,
unless we are talking to a buggy Win2k server */
/* actually this only happens when the machine account has no read
* permissions on the tokenGroup attribute - gd */
if (count == 0) {
/* no tokenGroups */
/* lookup what groups this user is a member of by DN search on
* "memberOf" */
status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
&primary_group,
&num_groups, user_sids);
*p_num_groups = num_groups;
if (NT_STATUS_IS_OK(status)) {
goto done;
}
/* lookup what groups this user is a member of by DN search on
* "member" */
status = lookup_usergroups_member(domain, mem_ctx, user_dn,
&primary_group,
&num_groups, user_sids);
*p_num_groups = num_groups;
goto done;
}
*user_sids = NULL;
num_groups = 0;
status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
&num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
for (i=0;i<count;i++) {
/* ignore Builtin groups from ADS - Guenther */
if (sid_check_is_in_builtin(&sids[i])) {
continue;
}
status = add_sid_to_array_unique(mem_ctx, &sids[i],
user_sids, &num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
*p_num_groups = (uint32)num_groups;
status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
sid_string_dbg(sid)));
done:
TALLOC_FREE(user_dn);
ads_msgfree(ads, msg);
return status;
}
/* Lookup groups a user is a member of - alternate method, for when
tokenGroups are not available. */
static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const char *user_dn,
struct dom_sid *primary_group,
uint32_t *p_num_groups,
struct dom_sid **user_sids)
{
ADS_STATUS rc;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
ADS_STRUCT *ads;
const char *attrs[] = {"memberOf", NULL};
uint32_t num_groups = 0;
struct dom_sid *group_sids = NULL;
int i;
char **strings = NULL;
size_t num_strings = 0, num_sids = 0;
DEBUG(3,("ads: lookup_usergroups_memberof\n"));
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups_memberof: No incoming trust for "
"domain %s\n", domain->name));
return NT_STATUS_OK;
}
ads = ads_cached_connection(domain);
if (!ads) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
return NT_STATUS_UNSUCCESSFUL;
}
rc = ads_search_retry_extended_dn_ranged(ads, mem_ctx, user_dn, attrs,
ADS_EXTENDED_DN_HEX_STRING,
&strings, &num_strings);
if (!ADS_ERR_OK(rc)) {
DEBUG(1,("lookup_usergroups_memberof ads_search "
"member=%s: %s\n", user_dn, ads_errstr(rc)));
return ads_ntstatus(rc);
}
*user_sids = NULL;
num_groups = 0;
/* always add the primary group to the sid array */
status = add_sid_to_array(mem_ctx, primary_group, user_sids,
&num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
group_sids = talloc_zero_array(mem_ctx, struct dom_sid, num_strings + 1);
if (!group_sids) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
for (i=0; i<num_strings; i++) {
rc = ads_get_sid_from_extended_dn(mem_ctx, strings[i],
ADS_EXTENDED_DN_HEX_STRING,
&(group_sids)[i]);
if (!ADS_ERR_OK(rc)) {
/* ignore members without SIDs */
if (NT_STATUS_EQUAL(ads_ntstatus(rc),
NT_STATUS_NOT_FOUND)) {
continue;
}
else {
status = ads_ntstatus(rc);
goto done;
}
}
num_sids++;
}
if (i == 0) {
DEBUG(1,("No memberOf for this user?!?\n"));
status = NT_STATUS_NO_MEMORY;
goto done;
}
for (i=0; i<num_sids; i++) {
/* ignore Builtin groups from ADS - Guenther */
if (sid_check_is_in_builtin(&group_sids[i])) {
continue;
}
status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
&num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
*p_num_groups = num_groups;
status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
DEBUG(3,("ads lookup_usergroups (memberof) succeeded for dn=%s\n",
user_dn));
done:
TALLOC_FREE(strings);
TALLOC_FREE(group_sids);
return status;
}
/* Lookup groups a user is a member of - alternate method, for when
tokenGroups are not available. */
static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const char *user_dn,
struct dom_sid *primary_group,
uint32_t *p_num_groups, struct dom_sid **user_sids)
{
ADS_STATUS rc;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
int count;
LDAPMessage *res = NULL;
LDAPMessage *msg = NULL;
char *ldap_exp;
ADS_STRUCT *ads;
const char *group_attrs[] = {"objectSid", NULL};
char *escaped_dn;
uint32_t num_groups = 0;
DEBUG(3,("ads: lookup_usergroups_member\n"));
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
domain->name));
return NT_STATUS_OK;
}
ads = ads_cached_connection(domain);
if (!ads) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
goto done;
}
if (!(escaped_dn = escape_ldap_string(talloc_tos(), user_dn))) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
ldap_exp = talloc_asprintf(mem_ctx,
"(&(member=%s)(objectCategory=group)(groupType:dn:%s:=%d))",
escaped_dn,
ADS_LDAP_MATCHING_RULE_BIT_AND,
GROUP_TYPE_SECURITY_ENABLED);
if (!ldap_exp) {
DEBUG(1,("lookup_usergroups(dn=%s) asprintf failed!\n", user_dn));
TALLOC_FREE(escaped_dn);
status = NT_STATUS_NO_MEMORY;
goto done;
}
TALLOC_FREE(escaped_dn);
rc = ads_search_retry(ads, &res, ldap_exp, group_attrs);
if (!ADS_ERR_OK(rc) || !res) {
DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc)));
return ads_ntstatus(rc);
}
count = ads_count_replies(ads, res);
*user_sids = NULL;
num_groups = 0;
/* always add the primary group to the sid array */
status = add_sid_to_array(mem_ctx, primary_group, user_sids,
&num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (count > 0) {
for (msg = ads_first_entry(ads, res); msg;
msg = ads_next_entry(ads, msg)) {
struct dom_sid group_sid;
if (!ads_pull_sid(ads, msg, "objectSid", &group_sid)) {
DEBUG(1,("No sid for this group ?!?\n"));
continue;
}
/* ignore Builtin groups from ADS - Guenther */
if (sid_check_is_in_builtin(&group_sid)) {
continue;
}
status = add_sid_to_array(mem_ctx, &group_sid,
user_sids, &num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
}
*p_num_groups = num_groups;
status = (user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
done:
if (res)
ads_msgfree(ads, res);
return status;
}
/* convert a domain SID to a user or group name */
static NTSTATUS sam_sid_to_name(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
char **pdomain_name,
char **pname,
enum lsa_SidType *ptype)
{
struct rpc_pipe_client *lsa_pipe;
struct policy_handle lsa_policy;
char *domain_name = NULL;
char *name = NULL;
enum lsa_SidType type;
TALLOC_CTX *tmp_ctx;
NTSTATUS status, result;
struct dcerpc_binding_handle *b = NULL;
DEBUG(3,("sam_sid_to_name\n"));
ZERO_STRUCT(lsa_policy);
/* Paranoia check */
if (!sid_check_is_in_builtin(sid) &&
!sid_check_is_in_our_domain(sid) &&
!sid_check_is_in_unix_users(sid) &&
!sid_check_is_unix_users(sid) &&
!sid_check_is_in_unix_groups(sid) &&
!sid_check_is_unix_groups(sid) &&
!sid_check_is_in_wellknown_domain(sid)) {
DEBUG(0, ("sam_sid_to_name: possible deadlock - trying to "
"lookup SID %s\n", sid_string_dbg(sid)));
return NT_STATUS_NONE_MAPPED;
}
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
status = open_internal_lsa_conn(tmp_ctx, &lsa_pipe, &lsa_policy);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
b = lsa_pipe->binding_handle;
status = rpc_sid_to_name(tmp_ctx,
lsa_pipe,
&lsa_policy,
domain,
sid,
&domain_name,
&name,
&type);
if (ptype) {
*ptype = type;
}
if (pname) {
*pname = talloc_move(mem_ctx, &name);
}
if (pdomain_name) {
*pdomain_name = talloc_move(mem_ctx, &domain_name);
}
done:
if (b && is_valid_policy_hnd(&lsa_policy)) {
dcerpc_lsa_Close(b, mem_ctx, &lsa_policy, &result);
}
TALLOC_FREE(tmp_ctx);
return status;
}
/* Lookup group membership given a rid. */
static NTSTATUS sam_lookup_groupmem(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const struct dom_sid *group_sid,
enum lsa_SidType type,
uint32_t *pnum_names,
struct dom_sid **psid_mem,
char ***pnames,
uint32_t **pname_types)
{
struct rpc_pipe_client *samr_pipe;
struct policy_handle dom_pol;
uint32_t num_names = 0;
struct dom_sid *sid_mem = NULL;
char **names = NULL;
uint32_t *name_types = NULL;
TALLOC_CTX *tmp_ctx;
NTSTATUS status, result;
struct dcerpc_binding_handle *b = NULL;
DEBUG(3,("sam_lookup_groupmem\n"));
ZERO_STRUCT(dom_pol);
/* Paranoia check */
if (sid_check_is_in_builtin(group_sid) && (type != SID_NAME_ALIAS)) {
/* There's no groups, only aliases in BUILTIN */
return NT_STATUS_NO_SUCH_GROUP;
}
if (pnum_names) {
pnum_names = 0;
}
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
status = open_internal_samr_conn(tmp_ctx, domain, &samr_pipe, &dom_pol);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
b = samr_pipe->binding_handle;
status = rpc_lookup_groupmem(tmp_ctx,
samr_pipe,
&dom_pol,
domain->name,
&domain->sid,
group_sid,
type,
&num_names,
&sid_mem,
&names,
&name_types);
if (pnum_names) {
*pnum_names = num_names;
}
if (pnames) {
*pnames = talloc_move(mem_ctx, &names);
}
if (pname_types) {
*pname_types = talloc_move(mem_ctx, &name_types);
}
if (psid_mem) {
*psid_mem = talloc_move(mem_ctx, &sid_mem);
}
done:
if (b && is_valid_policy_hnd(&dom_pol)) {
dcerpc_samr_Close(b, mem_ctx, &dom_pol, &result);
}
TALLOC_FREE(tmp_ctx);
return status;
}
NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
const char *unix_username,
const struct passwd *pwd,
struct netr_SamInfo3 **pinfo3,
struct extra_auth_info *extra)
{
struct netr_SamInfo3 *info3;
NTSTATUS status;
TALLOC_CTX *tmp_ctx;
const char *domain_name = NULL;
const char *user_name = NULL;
struct dom_sid domain_sid;
struct dom_sid user_sid;
struct dom_sid group_sid;
enum lsa_SidType type;
uint32_t num_sids = 0;
struct dom_sid *user_sids = NULL;
bool is_null;
bool ok;
tmp_ctx = talloc_stackframe();
ok = lookup_name_smbconf(tmp_ctx,
unix_username,
LOOKUP_NAME_ALL,
&domain_name,
&user_name,
&user_sid,
&type);
if (!ok) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
if (type != SID_NAME_USER) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
ok = winbind_lookup_usersids(tmp_ctx,
&user_sid,
&num_sids,
&user_sids);
/* Check if winbind is running */
if (ok) {
/*
* Winbind is running and the first element of the user_sids
* is the primary group.
*/
if (num_sids > 0) {
group_sid = user_sids[0];
}
} else {
/*
* Winbind is not running, try to create the group_sid from the
* passwd group id.
*/
/*
* This can lead to a primary group of S-1-22-2-XX which
* will be rejected by other Samba code.
*/
gid_to_sid(&group_sid, pwd->pw_gid);
}
/*
* If we are a unix group, or a wellknown/builtin alias,
* set the group_sid to the
* 'Domain Users' RID of 513 which will always resolve to a
* name.
*/
if (sid_check_is_in_unix_groups(&group_sid) ||
sid_check_is_in_builtin(&group_sid) ||
sid_check_is_in_wellknown_domain(&group_sid)) {
if (sid_check_is_in_unix_users(&user_sid)) {
sid_compose(&group_sid,
get_global_sam_sid(),
DOMAIN_RID_USERS);
} else {
sid_copy(&domain_sid, &user_sid);
sid_split_rid(&domain_sid, NULL);
sid_compose(&group_sid,
&domain_sid,
DOMAIN_RID_USERS);
}
}
/* Make sure we have a valid group sid */
is_null = is_null_sid(&group_sid);
if (is_null) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
/* Construct a netr_SamInfo3 from the information we have */
info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3);
if (!info3) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
info3->base.account_name.string = talloc_strdup(info3, unix_username);
if (info3->base.account_name.string == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
ZERO_STRUCT(domain_sid);
status = SamInfo3_handle_sids(unix_username,
&user_sid,
&group_sid,
info3,
&domain_sid,
extra);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
if (info3->base.domain_sid == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
ok = sid_peek_check_rid(&domain_sid, &group_sid,
&info3->base.primary_gid);
if (!ok) {
DEBUG(1, ("The primary group domain sid(%s) does not "
"match the domain sid(%s) for %s(%s)\n",
sid_string_dbg(&group_sid),
sid_string_dbg(&domain_sid),
unix_username,
sid_string_dbg(&user_sid)));
status = NT_STATUS_INVALID_SID;
goto done;
}
info3->base.acct_flags = ACB_NORMAL;
if (num_sids) {
status = group_sids_to_info3(info3, user_sids, num_sids);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
*pinfo3 = talloc_steal(mem_ctx, info3);
status = NT_STATUS_OK;
done:
talloc_free(tmp_ctx);
return status;
}
