BOOL map_name_to_wellknown_sid(DOM_SID *sid, enum SID_NAME_USE *use, const char *name) { int i, j; if (!sid_name_map_initialized) init_sid_name_map(); DEBUG(10,("map_name_to_wellknown_sid: looking up %s\n", name)); for (i=0; sid_name_map[i].sid != NULL; i++) { const known_sid_users *users = sid_name_map[i].known_users; if (users == NULL) continue; for (j=0; users[j].known_user_name != NULL; j++) { if ( strequal(users[j].known_user_name, name) ) { sid_copy(sid, sid_name_map[i].sid); sid_append_rid(sid, users[j].rid); *use = users[j].sid_name_use; return True; } } } return False; }
bool pdb_set_group_sid(struct samu *sampass, const DOM_SID *g_sid, enum pdb_value_state flag) { gid_t gid; if (!g_sid) return False; if ( !(sampass->group_sid = TALLOC_P( sampass, DOM_SID )) ) { return False; } /* if we cannot resolve the SID to gid, then just ignore it and store DOMAIN_USERS as the primary groupSID */ if ( sid_to_gid( g_sid, &gid ) ) { sid_copy(sampass->group_sid, g_sid); } else { sid_copy( sampass->group_sid, get_global_sam_sid() ); sid_append_rid( sampass->group_sid, DOMAIN_GROUP_RID_USERS ); } DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n", sid_string_dbg(sampass->group_sid))); return pdb_set_init_flags(sampass, PDB_GROUPSID, flag); }
BOOL pdb_set_group_sid_from_rid (struct samu *sampass, uint32 grid, enum pdb_value_state flag) { DOM_SID g_sid; const DOM_SID *global_sam_sid; if (!sampass) return False; if (!(global_sam_sid = get_global_sam_sid())) { DEBUG(1, ("pdb_set_user_sid_from_rid: Could not read global sam sid!\n")); return False; } sid_copy(&g_sid, global_sam_sid); if (!sid_append_rid(&g_sid, grid)) return False; if (!pdb_set_group_sid(sampass, &g_sid, flag)) return False; DEBUG(10, ("pdb_set_group_sid_from_rid:\n\tsetting group sid %s from rid %d\n", sid_string_static(&g_sid), grid)); return True; }
bool string_to_sid(DOM_SID *sidout, const char *sidstr) { const char *p; char *q; /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ uint32 conv; if ((sidstr[0] != 'S' && sidstr[0] != 's') || sidstr[1] != '-') { DEBUG(3,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); return False; } ZERO_STRUCTP(sidout); /* Get the revision number. */ p = sidstr + 2; conv = (uint32) strtoul(p, &q, 10); if (!q || (*q != '-')) { DEBUG(3,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); return False; } sidout->sid_rev_num = (uint8) conv; q++; /* get identauth */ conv = (uint32) strtoul(q, &q, 10); if (!q || (*q != '-')) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); return False; } /* identauth in decimal should be < 2^32 */ /* NOTE - the conv value is in big-endian format. */ sidout->id_auth[0] = 0; sidout->id_auth[1] = 0; sidout->id_auth[2] = (conv & 0xff000000) >> 24; sidout->id_auth[3] = (conv & 0x00ff0000) >> 16; sidout->id_auth[4] = (conv & 0x0000ff00) >> 8; sidout->id_auth[5] = (conv & 0x000000ff); q++; sidout->num_auths = 0; for(conv = (uint32) strtoul(q, &q, 10); q && (*q =='-' || *q =='\0') && (sidout->num_auths < MAXSUBAUTHS); conv = (uint32) strtoul(q, &q, 10)) { sid_append_rid(sidout, conv); if (*q == '\0') break; q++; } return True; }
bool lookup_unix_group_name(const char *name, DOM_SID *sid) { struct group *grp; grp = sys_getgrnam(name); if (grp == NULL) { return False; } sid_copy(sid, &global_sid_Unix_Groups); sid_append_rid(sid, (uint32_t)grp->gr_gid); /* For 64-bit uid's we have enough * space ... */ return True; }
bool lookup_unix_user_name(const char *name, DOM_SID *sid) { struct passwd *pwd; pwd = Get_Pwnam_alloc(talloc_autofree_context(), name); if (pwd == NULL) { return False; } sid_copy(sid, &global_sid_Unix_Users); sid_append_rid(sid, (uint32_t)pwd->pw_uid); /* For 64-bit uid's we have enough * space ... */ TALLOC_FREE(pwd); return True; }
/* add a rid to a domain dom_sid to make a full dom_sid. This function returns a new sid in the supplied memory context */ struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx, const struct dom_sid *domain_sid, uint32_t rid) { struct dom_sid *sid; sid = dom_sid_dup(mem_ctx, domain_sid); if (!sid) return NULL; if (!sid_append_rid(sid, rid)) { talloc_free(sid); return NULL; } return sid; }
static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *info3, const char *group_sid) { DOM_SID required_membership_sid; DOM_SID *all_sids; size_t num_all_sids = (2 + info3->num_groups2 + info3->num_other_sids); size_t i, j = 0; /* Parse the 'required group' SID */ if (!group_sid || !group_sid[0]) { /* NO sid supplied, all users may access */ return NT_STATUS_OK; } if (!string_to_sid(&required_membership_sid, group_sid)) { DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!", group_sid)); return NT_STATUS_INVALID_PARAMETER; } all_sids = talloc(mem_ctx, sizeof(DOM_SID) * num_all_sids); if (!all_sids) return NT_STATUS_NO_MEMORY; /* and create (by appending rids) the 'domain' sids */ sid_copy(&all_sids[0], &(info3->dom_sid.sid)); if (!sid_append_rid(&all_sids[0], info3->user_rid)) { DEBUG(3,("could not append user's primary RID 0x%x\n", info3->user_rid)); return NT_STATUS_INVALID_PARAMETER; } j++; sid_copy(&all_sids[1], &(info3->dom_sid.sid)); if (!sid_append_rid(&all_sids[1], info3->group_rid)) { DEBUG(3,("could not append additional group rid 0x%x\n", info3->group_rid)); return NT_STATUS_INVALID_PARAMETER; } j++; for (i = 0; i < info3->num_groups2; i++) { sid_copy(&all_sids[j], &(info3->dom_sid.sid)); if (!sid_append_rid(&all_sids[j], info3->gids[j].g_rid)) { DEBUG(3,("could not append additional group rid 0x%x\n", info3->gids[j].g_rid)); return NT_STATUS_INVALID_PARAMETER; } j++; } /* Copy 'other' sids. We need to do sid filtering here to prevent possible elevation of privileges. See: http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp */ for (i = 0; i < info3->num_other_sids; i++) { sid_copy(&all_sids[info3->num_groups2 + i + 2], &info3->other_sids[j].sid); j++; } for (i = 0; i < j; i++) { fstring sid1, sid2; DEBUG(10, ("User has SID: %s\n", sid_to_string(sid1, &all_sids[i]))); if (sid_equal(&required_membership_sid, &all_sids[i])) { DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n", sid_to_string(sid1, &required_membership_sid), sid_to_string(sid2, &all_sids[i]))); return NT_STATUS_OK; } } /* Do not distinguish this error from a wrong username/pw */ return NT_STATUS_LOGON_FAILURE; }
/********************************************************* Add New User **********************************************************/ static int new_user (struct pdb_methods *in, const char *username, const char *fullname, const char *homedir, const char *drive, const char *script, const char *profile, char *user_sid, BOOL stdin_get) { struct samu *sam_pwent; char *password1, *password2; int rc_pwd_cmp; struct passwd *pwd; get_global_sam_sid(); if ( !(pwd = getpwnam_alloc( NULL, username )) ) { DEBUG(0,("Cannot locate Unix account for %s\n", username)); return -1; } if ( (sam_pwent = samu_new( NULL )) == NULL ) { DEBUG(0, ("Memory allocation failure!\n")); return -1; } if (!NT_STATUS_IS_OK(samu_alloc_rid_unix(sam_pwent, pwd ))) { TALLOC_FREE( sam_pwent ); TALLOC_FREE( pwd ); DEBUG(0, ("could not create account to add new user %s\n", username)); return -1; } password1 = get_pass( "new password:"******"retype new password:"******"Passwords do not match!\n"); TALLOC_FREE(sam_pwent); } else { pdb_set_plaintext_passwd(sam_pwent, password1); } memset(password1, 0, strlen(password1)); SAFE_FREE(password1); memset(password2, 0, strlen(password2)); SAFE_FREE(password2); /* pwds do _not_ match? */ if (rc_pwd_cmp) return -1; if (fullname) pdb_set_fullname(sam_pwent, fullname, PDB_CHANGED); if (homedir) pdb_set_homedir (sam_pwent, homedir, PDB_CHANGED); if (drive) pdb_set_dir_drive (sam_pwent, drive, PDB_CHANGED); if (script) pdb_set_logon_script(sam_pwent, script, PDB_CHANGED); if (profile) pdb_set_profile_path (sam_pwent, profile, PDB_CHANGED); if (user_sid) { DOM_SID u_sid; if (!string_to_sid(&u_sid, user_sid)) { /* not a complete sid, may be a RID, try building a SID */ int u_rid; if (sscanf(user_sid, "%d", &u_rid) != 1) { fprintf(stderr, "Error passed string is not a complete user SID or RID!\n"); TALLOC_FREE(sam_pwent); return -1; } sid_copy(&u_sid, get_global_sam_sid()); sid_append_rid(&u_sid, u_rid); } pdb_set_user_sid (sam_pwent, &u_sid, PDB_CHANGED); } pdb_set_acct_ctrl (sam_pwent, ACB_NORMAL, PDB_CHANGED); if (NT_STATUS_IS_OK(in->add_sam_account (in, sam_pwent))) { print_user_info (in, username, True, False); } else { fprintf (stderr, "Unable to add user! (does it already exist?)\n"); TALLOC_FREE(sam_pwent); return -1; } TALLOC_FREE(sam_pwent); return 0; }
static int set_user_info (struct pdb_methods *in, const char *username, const char *fullname, const char *homedir, const char *acct_desc, const char *drive, const char *script, const char *profile, const char *account_control, const char *user_sid, const char *user_domain, const BOOL badpw, const BOOL hours) { BOOL updated_autolock = False, updated_badpw = False; struct samu *sam_pwent=NULL; BOOL ret; if ( (sam_pwent = samu_new( NULL )) == NULL ) { return 1; } ret = NT_STATUS_IS_OK(in->getsampwnam (in, sam_pwent, username)); if (ret==False) { fprintf (stderr, "Username not found!\n"); TALLOC_FREE(sam_pwent); return -1; } if (hours) { uint8 hours_array[MAX_HOURS_LEN]; uint32 hours_len; hours_len = pdb_get_hours_len(sam_pwent); memset(hours_array, 0xff, hours_len); pdb_set_hours(sam_pwent, hours_array, PDB_CHANGED); } if (!pdb_update_autolock_flag(sam_pwent, &updated_autolock)) { DEBUG(2,("pdb_update_autolock_flag failed.\n")); } if (!pdb_update_bad_password_count(sam_pwent, &updated_badpw)) { DEBUG(2,("pdb_update_bad_password_count failed.\n")); } if (fullname) pdb_set_fullname(sam_pwent, fullname, PDB_CHANGED); if (acct_desc) pdb_set_acct_desc(sam_pwent, acct_desc, PDB_CHANGED); if (homedir) pdb_set_homedir(sam_pwent, homedir, PDB_CHANGED); if (drive) pdb_set_dir_drive(sam_pwent,drive, PDB_CHANGED); if (script) pdb_set_logon_script(sam_pwent, script, PDB_CHANGED); if (profile) pdb_set_profile_path (sam_pwent, profile, PDB_CHANGED); if (user_domain) pdb_set_domain(sam_pwent, user_domain, PDB_CHANGED); if (account_control) { uint32 not_settable = ~(ACB_DISABLED|ACB_HOMDIRREQ|ACB_PWNOTREQ| ACB_PWNOEXP|ACB_AUTOLOCK); uint32 newflag = pdb_decode_acct_ctrl(account_control); if (newflag & not_settable) { fprintf(stderr, "Can only set [NDHLX] flags\n"); TALLOC_FREE(sam_pwent); return -1; } pdb_set_acct_ctrl(sam_pwent, (pdb_get_acct_ctrl(sam_pwent) & not_settable) | newflag, PDB_CHANGED); } if (user_sid) { DOM_SID u_sid; if (!string_to_sid(&u_sid, user_sid)) { /* not a complete sid, may be a RID, try building a SID */ int u_rid; if (sscanf(user_sid, "%d", &u_rid) != 1) { fprintf(stderr, "Error passed string is not a complete user SID or RID!\n"); return -1; } sid_copy(&u_sid, get_global_sam_sid()); sid_append_rid(&u_sid, u_rid); } pdb_set_user_sid (sam_pwent, &u_sid, PDB_CHANGED); } if (badpw) { pdb_set_bad_password_count(sam_pwent, 0, PDB_CHANGED); pdb_set_bad_password_time(sam_pwent, 0, PDB_CHANGED); } if (NT_STATUS_IS_OK(in->update_sam_account (in, sam_pwent))) print_user_info (in, username, True, False); else { fprintf (stderr, "Unable to modify entry!\n"); TALLOC_FREE(sam_pwent); return -1; } TALLOC_FREE(sam_pwent); return 0; }
bool uid_to_unix_users_sid(uid_t uid, DOM_SID *sid) { sid_copy(sid, &global_sid_Unix_Users); return sid_append_rid(sid, (uint32_t)uid); }
bool gid_to_unix_groups_sid(gid_t gid, DOM_SID *sid) { sid_copy(sid, &global_sid_Unix_Groups); return sid_append_rid(sid, (uint32_t)gid); }
bool sid_compose(DOM_SID *dst, const DOM_SID *domain_sid, uint32 rid) { sid_copy(dst, domain_sid); return sid_append_rid(dst, rid); }
NTSTATUS pdb_default_create_alias(struct pdb_methods *methods, const char *name, uint32 *rid) { DOM_SID sid; enum lsa_SidType type; uint32 new_rid; gid_t gid; bool exists; GROUP_MAP map; TALLOC_CTX *mem_ctx; NTSTATUS status; DEBUG(10, ("Trying to create alias %s\n", name)); mem_ctx = talloc_new(NULL); if (mem_ctx == NULL) { return NT_STATUS_NO_MEMORY; } exists = lookup_name(mem_ctx, name, LOOKUP_NAME_LOCAL, NULL, NULL, &sid, &type); TALLOC_FREE(mem_ctx); if (exists) { return NT_STATUS_ALIAS_EXISTS; } if (!winbind_allocate_gid(&gid)) { DEBUG(3, ("Could not get a gid out of winbind\n")); return NT_STATUS_ACCESS_DENIED; } if (!pdb_new_rid(&new_rid)) { DEBUG(0, ("Could not allocate a RID -- wasted a gid :-(\n")); return NT_STATUS_ACCESS_DENIED; } DEBUG(10, ("Creating alias %s with gid %d and rid %d\n", name, gid, new_rid)); sid_copy(&sid, get_global_sam_sid()); sid_append_rid(&sid, new_rid); map.gid = gid; sid_copy(&map.sid, &sid); map.sid_name_use = SID_NAME_ALIAS; fstrcpy(map.nt_name, name); fstrcpy(map.comment, ""); status = pdb_add_group_mapping_entry(&map); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Could not add group mapping entry for alias %s " "(%s)\n", name, nt_errstr(status))); return status; } *rid = new_rid; return NT_STATUS_OK; }
const DOM_SID *pdb_get_group_sid(struct samu *sampass) { DOM_SID *gsid; struct passwd *pwd; /* Return the cached group SID if we have that */ if ( sampass->group_sid ) { return sampass->group_sid; } /* generate the group SID from the user's primary Unix group */ if ( !(gsid = TALLOC_P( sampass, DOM_SID )) ) { return NULL; } /* No algorithmic mapping, meaning that we have to figure out the primary group SID according to group mapping and the user SID must be a newly allocated one. We rely on the user's Unix primary gid. We have no choice but to fail if we can't find it. */ if ( sampass->unix_pw ) { pwd = sampass->unix_pw; } else { pwd = Get_Pwnam_alloc( sampass, pdb_get_username(sampass) ); } if ( !pwd ) { DEBUG(0,("pdb_get_group_sid: Failed to find Unix account for %s\n", pdb_get_username(sampass) )); return NULL; } if ( pdb_gid_to_sid(pwd->pw_gid, gsid) ) { enum lsa_SidType type = SID_NAME_UNKNOWN; TALLOC_CTX *mem_ctx = talloc_init("pdb_get_group_sid"); bool lookup_ret; if (!mem_ctx) { return NULL; } /* Now check that it's actually a domain group and not something else */ lookup_ret = lookup_sid(mem_ctx, gsid, NULL, NULL, &type); TALLOC_FREE( mem_ctx ); if ( lookup_ret && (type == SID_NAME_DOM_GRP) ) { sampass->group_sid = gsid; return sampass->group_sid; } DEBUG(3, ("Primary group for user %s is a %s and not a domain group\n", pwd->pw_name, sid_type_lookup(type))); } /* Just set it to the 'Domain Users' RID of 512 which will always resolve to a name */ sid_copy( gsid, get_global_sam_sid() ); sid_append_rid( gsid, DOMAIN_GROUP_RID_USERS ); sampass->group_sid = gsid; return sampass->group_sid; }
static NTSTATUS cmd_samr_query_useraliases(struct cli_state *cli, TALLOC_CTX *mem_ctx, int argc, char **argv) { POLICY_HND connect_pol, domain_pol; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; uint32 user_rid, num_aliases, *alias_rids; int i; fstring server; DOM_SID tmp_sid; DOM_SID2 sid; DOM_SID global_sid_Builtin; string_to_sid(&global_sid_Builtin, "S-1-5-32"); if (argc != 3) { printf("Usage: %s builtin|domain rid\n", argv[0]); return NT_STATUS_OK; } sscanf(argv[2], "%i", &user_rid); slprintf (server, sizeof(fstring)-1, "\\\\%s", cli->desthost); strupper (server); result = cli_samr_connect(cli, mem_ctx, MAXIMUM_ALLOWED_ACCESS, &connect_pol); if (!NT_STATUS_IS_OK(result)) { goto done; } if (StrCaseCmp(argv[1], "domain")==0) result = cli_samr_open_domain(cli, mem_ctx, &connect_pol, MAXIMUM_ALLOWED_ACCESS, &domain_sid, &domain_pol); else if (StrCaseCmp(argv[1], "builtin")==0) result = cli_samr_open_domain(cli, mem_ctx, &connect_pol, MAXIMUM_ALLOWED_ACCESS, &global_sid_Builtin, &domain_pol); else return NT_STATUS_OK; if (!NT_STATUS_IS_OK(result)) { goto done; } sid_copy(&tmp_sid, &domain_sid); sid_append_rid(&tmp_sid, user_rid); init_dom_sid2(&sid, &tmp_sid); result = cli_samr_query_useraliases(cli, mem_ctx, &domain_pol, 1, &sid, &num_aliases, &alias_rids); if (!NT_STATUS_IS_OK(result)) { goto done; } for (i = 0; i < num_aliases; i++) { printf("\tgroup rid:[0x%x]\n", alias_rids[i]); } done: return result; }
static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name, const char *domain_name, struct dom_sid *domain_sid, struct auth_user_info_dc **_user_info_dc) { struct auth_user_info_dc *user_info_dc; struct auth_user_info *info; user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); NT_STATUS_HAVE_NO_MEMORY(user_info_dc); user_info_dc->num_sids = 7; user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids); user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid; sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR); user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid; sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_USERS); user_info_dc->sids[2] = global_sid_Builtin_Administrators; user_info_dc->sids[3] = *domain_sid; sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS); user_info_dc->sids[4] = *domain_sid; sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS); user_info_dc->sids[5] = *domain_sid; sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS); user_info_dc->sids[6] = *domain_sid; sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS); /* What should the session key be?*/ user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data); user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data); data_blob_clear(&user_info_dc->user_session_key); data_blob_clear(&user_info_dc->lm_session_key); user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); info->account_name = talloc_strdup(info, "Administrator"); NT_STATUS_HAVE_NO_MEMORY(info->account_name); info->domain_name = talloc_strdup(info, domain_name); NT_STATUS_HAVE_NO_MEMORY(info->domain_name); info->full_name = talloc_strdup(info, "Administrator"); NT_STATUS_HAVE_NO_MEMORY(info->full_name); info->logon_script = talloc_strdup(info, ""); NT_STATUS_HAVE_NO_MEMORY(info->logon_script); info->profile_path = talloc_strdup(info, ""); NT_STATUS_HAVE_NO_MEMORY(info->profile_path); info->home_directory = talloc_strdup(info, ""); NT_STATUS_HAVE_NO_MEMORY(info->home_directory); info->home_drive = talloc_strdup(info, ""); NT_STATUS_HAVE_NO_MEMORY(info->home_drive); info->logon_server = talloc_strdup(info, netbios_name); NT_STATUS_HAVE_NO_MEMORY(info->logon_server); info->last_logon = 0; info->last_logoff = 0; info->acct_expiry = 0; info->last_password_change = 0; info->allow_password_change = 0; info->force_password_change
bool dom_sid_parse_endp(const char *sidstr,struct dom_sid *sidout, const char **endp) { const char *p; char *q; /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ uint64_t conv; ZERO_STRUCTP(sidout); if ((sidstr[0] != 'S' && sidstr[0] != 's') || sidstr[1] != '-') { goto format_error; } /* Get the revision number. */ p = sidstr + 2; if (!isdigit(*p)) { goto format_error; } conv = strtoul(p, &q, 10); if (!q || (*q != '-') || conv > UINT8_MAX) { goto format_error; } sidout->sid_rev_num = (uint8_t) conv; q++; if (!isdigit(*q)) { goto format_error; } /* get identauth */ conv = strtoull(q, &q, 0); if (!q || conv & AUTHORITY_MASK) { goto format_error; } /* When identauth >= UINT32_MAX, it's in hex with a leading 0x */ /* NOTE - the conv value is in big-endian format. */ sidout->id_auth[0] = (conv & 0xff0000000000ULL) >> 40; sidout->id_auth[1] = (conv & 0x00ff00000000ULL) >> 32; sidout->id_auth[2] = (conv & 0x0000ff000000ULL) >> 24; sidout->id_auth[3] = (conv & 0x000000ff0000ULL) >> 16; sidout->id_auth[4] = (conv & 0x00000000ff00ULL) >> 8; sidout->id_auth[5] = (conv & 0x0000000000ffULL); sidout->num_auths = 0; if (*q != '-') { /* Just id_auth, no subauths */ goto done; } q++; while (true) { char *end; if (!isdigit(*q)) { goto format_error; } conv = strtoull(q, &end, 10); if (end == q || conv > UINT32_MAX) { goto format_error; } if (!sid_append_rid(sidout, conv)) { DEBUG(3, ("Too many sid auths in %s\n", sidstr)); return false; } q = end; if (*q != '-') { break; } q += 1; } done: if (endp != NULL) { *endp = q; } return true; format_error: DEBUG(3, ("string_to_sid: SID %s is not in a valid format\n", sidstr)); return false; }
_PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *netbios_name, const char *domain_name, struct ldb_dn *domain_dn, struct ldb_message *msg, DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, struct auth_user_info_dc **_user_info_dc) { NTSTATUS status; struct auth_user_info_dc *user_info_dc; struct auth_user_info *info; const char *str, *filter; /* SIDs for the account and his primary group */ struct dom_sid *account_sid; const char *primary_group_string; const char *primary_group_dn; DATA_BLOB primary_group_blob; /* SID structures for the expanded group memberships */ struct dom_sid *sids = NULL; unsigned int num_sids = 0, i; struct dom_sid *domain_sid; TALLOC_CTX *tmp_ctx; struct ldb_message_element *el; user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); NT_STATUS_HAVE_NO_MEMORY(user_info_dc); tmp_ctx = talloc_new(user_info_dc); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc, user_info_dc); sids = talloc_array(user_info_dc, struct dom_sid, 2); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, user_info_dc); num_sids = 2; account_sid = samdb_result_dom_sid(user_info_dc, msg, "objectSid"); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, user_info_dc); status = dom_sid_split_rid(tmp_ctx, account_sid, &domain_sid, NULL); if (!NT_STATUS_IS_OK(status)) { talloc_free(user_info_dc); return status; } sids[PRIMARY_USER_SID_INDEX] = *account_sid; sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid; sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX], ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0)); /* Filter out builtin groups from this token. We will search * for builtin groups later, and not include them in the PAC * on SamLogon validation info */ filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, user_info_dc); primary_group_string = dom_sid_string(tmp_ctx, &sids[PRIMARY_GROUP_SID_INDEX]); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, user_info_dc); primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, user_info_dc); primary_group_blob = data_blob_string_const(primary_group_dn); /* Expands the primary group - this function takes in * memberOf-like values, so we fake one up with the * <SID=S-...> format of DN and then let it expand * them, as long as they meet the filter - so only * domain groups, not builtin groups * * The primary group is still treated specially, so we set the * 'only childs' flag to true */ status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter, user_info_dc, &sids, &num_sids); if (!NT_STATUS_IS_OK(status)) { talloc_free(user_info_dc); return status; } /* Expands the additional groups */ el = ldb_msg_find_element(msg, "memberOf"); for (i = 0; el && i < el->num_values; i++) { /* This function takes in memberOf values and expands * them, as long as they meet the filter - so only * domain groups, not builtin groups */ status = dsdb_expand_nested_groups(sam_ctx, &el->values[i], false, filter, user_info_dc, &sids, &num_sids); if (!NT_STATUS_IS_OK(status)) { talloc_free(user_info_dc); return status; } } user_info_dc->sids = sids; user_info_dc->num_sids = num_sids; user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); info->account_name = talloc_steal(info, ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL)); info->domain_name = talloc_strdup(info, domain_name); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->domain_name, user_info_dc); str = ldb_msg_find_attr_as_string(msg, "displayName", ""); info->full_name = talloc_strdup(info, str); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->full_name, user_info_dc); str = ldb_msg_find_attr_as_string(msg, "scriptPath", ""); info->logon_script = talloc_strdup(info, str); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_script, user_info_dc); str = ldb_msg_find_attr_as_string(msg, "profilePath", ""); info->profile_path = talloc_strdup(info, str); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->profile_path, user_info_dc); str = ldb_msg_find_attr_as_string(msg, "homeDirectory", ""); info->home_directory = talloc_strdup(info, str); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_directory, user_info_dc); str = ldb_msg_find_attr_as_string(msg, "homeDrive", ""); info->home_drive = talloc_strdup(info, str); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_drive, user_info_dc); info->logon_server = talloc_strdup(info, netbios_name); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_server, user_info_dc); info->last_logon = samdb_result_nttime(msg, "lastLogon", 0); info->last_logoff = samdb_result_last_logoff(msg); info->acct_expiry = samdb_result_account_expires(msg); info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0); info->allow_password_change = samdb_result_allow_password_change(sam_ctx, mem_ctx, domain_dn, msg, "pwdLastSet"); info->force_password_change = samdb_result_force_password_change(sam_ctx, mem_ctx, domain_dn, msg); info->logon_count = ldb_msg_find_attr_as_uint(msg, "logonCount", 0); info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount", 0); info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); user_info_dc->user_session_key = data_blob_talloc(user_info_dc, user_sess_key.data, user_sess_key.length); if (user_sess_key.data) { NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->user_session_key.data, user_info_dc); } user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, lm_sess_key.data, lm_sess_key.length); if (lm_sess_key.data) { NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->lm_session_key.data, user_info_dc); } if (info->acct_flags & ACB_SVRTRUST) { /* the SID_NT_ENTERPRISE_DCS SID gets added into the PAC */ user_info_dc->sids = talloc_realloc(user_info_dc, user_info_dc->sids, struct dom_sid, user_info_dc->num_sids+1); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc); user_info_dc->sids[user_info_dc->num_sids] = global_sid_Enterprise_DCs; user_info_dc->num_sids++; }
enum winbindd_result winbindd_dual_getsidaliases(struct winbindd_domain *domain, struct winbindd_cli_state *state) { DOM_SID *sids = NULL; size_t num_sids = 0; char *sidstr = NULL; ssize_t len; size_t i; uint32 num_aliases; uint32 *alias_rids; NTSTATUS result; DEBUG(3, ("[%5lu]: getsidaliases\n", (unsigned long)state->pid)); sidstr = state->request->extra_data.data; if (sidstr == NULL) { sidstr = talloc_strdup(state->mem_ctx, "\n"); /* No SID */ if (!sidstr) { DEBUG(0, ("Out of memory\n")); return WINBINDD_ERROR; } } DEBUG(10, ("Sidlist: %s\n", sidstr)); if (!parse_sidlist(state->mem_ctx, sidstr, &sids, &num_sids)) { DEBUG(0, ("Could not parse SID list: %s\n", sidstr)); return WINBINDD_ERROR; } num_aliases = 0; alias_rids = NULL; result = domain->methods->lookup_useraliases(domain, state->mem_ctx, num_sids, sids, &num_aliases, &alias_rids); if (!NT_STATUS_IS_OK(result)) { DEBUG(3, ("Could not lookup_useraliases: %s\n", nt_errstr(result))); return WINBINDD_ERROR; } num_sids = 0; sids = NULL; sidstr = NULL; DEBUG(10, ("Got %d aliases\n", num_aliases)); for (i=0; i<num_aliases; i++) { DOM_SID sid; DEBUGADD(10, (" rid %d\n", alias_rids[i])); sid_copy(&sid, &domain->sid); sid_append_rid(&sid, alias_rids[i]); result = add_sid_to_array(state->mem_ctx, &sid, &sids, &num_sids); if (!NT_STATUS_IS_OK(result)) { return WINBINDD_ERROR; } } if (!print_sidlist(state->mem_ctx, sids, num_sids, &sidstr, &len)) { DEBUG(0, ("Could not print_sidlist\n")); state->response->extra_data.data = NULL; return WINBINDD_ERROR; } state->response->extra_data.data = NULL; if (sidstr) { state->response->extra_data.data = sidstr; DEBUG(10, ("aliases_list: %s\n", (char *)state->response->extra_data.data)); state->response->length += len+1; state->response->data.num_entries = num_sids; } return WINBINDD_OK; }
/* Lookup groups a user is a member of. */ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, const DOM_SID *sid, uint32 *p_num_groups, DOM_SID **user_sids) { ADS_STRUCT *ads = NULL; const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL}; ADS_STATUS rc; int count; LDAPMessage *msg = NULL; char *user_dn = NULL; DOM_SID *sids; int i; DOM_SID primary_group; uint32 primary_group_rid; NTSTATUS status = NT_STATUS_UNSUCCESSFUL; size_t num_groups = 0; DEBUG(3,("ads: lookup_usergroups\n")); *p_num_groups = 0; status = lookup_usergroups_cached(domain, mem_ctx, sid, p_num_groups, user_sids); if (NT_STATUS_IS_OK(status)) { return NT_STATUS_OK; } if ( !winbindd_can_contact_domain( domain ) ) { DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n", domain->name)); /* Tell the cache manager not to remember this one */ return NT_STATUS_SYNCHRONIZATION_REQUIRED; } ads = ads_cached_connection(domain); if (!ads) { domain->last_status = NT_STATUS_SERVER_DISABLED; status = NT_STATUS_SERVER_DISABLED; goto done; } rc = ads_search_retry_sid(ads, &msg, sid, attrs); if (!ADS_ERR_OK(rc)) { status = ads_ntstatus(rc); DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: " "%s\n", sid_string_dbg(sid), ads_errstr(rc))); goto done; } count = ads_count_replies(ads, msg); if (count != 1) { status = NT_STATUS_UNSUCCESSFUL; DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: " "invalid number of results (count=%d)\n", sid_string_dbg(sid), count)); goto done; } if (!msg) { DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", sid_string_dbg(sid))); status = NT_STATUS_UNSUCCESSFUL; goto done; } user_dn = ads_get_dn(ads, mem_ctx, msg); if (user_dn == NULL) { status = NT_STATUS_NO_MEMORY; goto done; } if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) { DEBUG(1,("%s: No primary group for sid=%s !?\n", domain->name, sid_string_dbg(sid))); goto done; } sid_copy(&primary_group, &domain->sid); sid_append_rid(&primary_group, primary_group_rid); count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids); /* there must always be at least one group in the token, unless we are talking to a buggy Win2k server */ /* actually this only happens when the machine account has no read * permissions on the tokenGroup attribute - gd */ if (count == 0) { /* no tokenGroups */ /* lookup what groups this user is a member of by DN search on * "memberOf" */ status = lookup_usergroups_memberof(domain, mem_ctx, user_dn, &primary_group, &num_groups, user_sids); *p_num_groups = (uint32)num_groups; if (NT_STATUS_IS_OK(status)) { goto done; } /* lookup what groups this user is a member of by DN search on * "member" */ status = lookup_usergroups_member(domain, mem_ctx, user_dn, &primary_group, &num_groups, user_sids); *p_num_groups = (uint32)num_groups; goto done; } *user_sids = NULL; num_groups = 0; status = add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups); if (!NT_STATUS_IS_OK(status)) { goto done; } for (i=0;i<count;i++) { /* ignore Builtin groups from ADS - Guenther */ if (sid_check_is_in_builtin(&sids[i])) { continue; } status = add_sid_to_array_unique(mem_ctx, &sids[i], user_sids, &num_groups); if (!NT_STATUS_IS_OK(status)) { goto done; } } *p_num_groups = (uint32)num_groups; status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n", sid_string_dbg(sid))); done: TALLOC_FREE(user_dn); ads_msgfree(ads, msg); return status; }
/***************************************************************************** For idmap conversion: convert one record to new format Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid instead of the SID. *****************************************************************************/ static int convert_fn(struct db_record *rec, void *private_data) { struct winbindd_domain *domain; char *p; NTSTATUS status; DOM_SID sid; uint32 rid; fstring keystr; fstring dom_name; TDB_DATA key2; struct convert_fn_state *s = (struct convert_fn_state *)private_data; DEBUG(10,("Converting %s\n", (const char *)rec->key.dptr)); p = strchr((const char *)rec->key.dptr, '/'); if (!p) return 0; *p = 0; fstrcpy(dom_name, (const char *)rec->key.dptr); *p++ = '/'; domain = find_domain_from_name(dom_name); if (domain == NULL) { /* We must delete the old record. */ DEBUG(0,("Unable to find domain %s\n", dom_name )); DEBUG(0,("deleting record %s\n", (const char *)rec->key.dptr )); status = rec->delete_rec(rec); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Unable to delete record %s:%s\n", (const char *)rec->key.dptr, nt_errstr(status))); s->failed = true; return -1; } return 0; } rid = atoi(p); sid_copy(&sid, &domain->sid); sid_append_rid(&sid, rid); sid_to_fstring(keystr, &sid); key2 = string_term_tdb_data(keystr); status = dbwrap_store(s->db, key2, rec->value, TDB_INSERT); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("Unable to add record %s:%s\n", (const char *)key2.dptr, nt_errstr(status))); s->failed = true; return -1; } status = dbwrap_store(s->db, rec->value, key2, TDB_REPLACE); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("Unable to update record %s:%s\n", (const char *)rec->value.dptr, nt_errstr(status))); s->failed = true; return -1; } status = rec->delete_rec(rec); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("Unable to delete record %s:%s\n", (const char *)rec->key.dptr, nt_errstr(status))); s->failed = true; return -1; } return 0; }
BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) { pstring tok; char *q; const char *p; /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ uint32 ia; if (StrnCaseCmp( sidstr, "S-", 2)) { DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); return False; } memset((char *)sidout, '\0', sizeof(DOM_SID)); p = q = SMB_STRDUP(sidstr + 2); if (p == NULL) { DEBUG(0, ("string_to_sid: out of memory!\n")); return False; } if (!next_token(&p, tok, "-", sizeof(tok))) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); SAFE_FREE(q); return False; } /* Get the revision number. */ sidout->sid_rev_num = (uint8)strtoul(tok, NULL, 10); if (!next_token(&p, tok, "-", sizeof(tok))) { DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); SAFE_FREE(q); return False; } /* identauth in decimal should be < 2^32 */ ia = (uint32)strtoul(tok, NULL, 10); /* NOTE - the ia value is in big-endian format. */ sidout->id_auth[0] = 0; sidout->id_auth[1] = 0; sidout->id_auth[2] = (ia & 0xff000000) >> 24; sidout->id_auth[3] = (ia & 0x00ff0000) >> 16; sidout->id_auth[4] = (ia & 0x0000ff00) >> 8; sidout->id_auth[5] = (ia & 0x000000ff); sidout->num_auths = 0; while(next_token(&p, tok, "-", sizeof(tok)) && sidout->num_auths < MAXSUBAUTHS) { /* * NOTE - the subauths are in native machine-endian format. They * are converted to little-endian when linearized onto the wire. */ sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10)); } SAFE_FREE(q); return True; }
bool lookup_name(TALLOC_CTX *mem_ctx, const char *full_name, int flags, const char **ret_domain, const char **ret_name, DOM_SID *ret_sid, enum lsa_SidType *ret_type) { char *p; const char *tmp; const char *domain = NULL; const char *name = NULL; uint32 rid; DOM_SID sid; enum lsa_SidType type; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { DEBUG(0, ("talloc_new failed\n")); return false; } p = strchr_m(full_name, '\\'); if (p != NULL) { domain = talloc_strndup(tmp_ctx, full_name, PTR_DIFF(p, full_name)); name = talloc_strdup(tmp_ctx, p+1); } else { domain = talloc_strdup(tmp_ctx, ""); name = talloc_strdup(tmp_ctx, full_name); } if ((domain == NULL) || (name == NULL)) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n", full_name, domain, name)); DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags)); if ((flags & LOOKUP_NAME_DOMAIN) && strequal(domain, get_global_sam_name())) { /* It's our own domain, lookup the name in passdb */ if (lookup_global_sam_name(name, flags, &rid, &type)) { sid_copy(&sid, get_global_sam_sid()); sid_append_rid(&sid, rid); goto ok; } TALLOC_FREE(tmp_ctx); return false; } if ((flags & LOOKUP_NAME_BUILTIN) && strequal(domain, builtin_domain_name())) { /* Explicit request for a name in BUILTIN */ if (lookup_builtin_name(name, &rid)) { sid_copy(&sid, &global_sid_Builtin); sid_append_rid(&sid, rid); type = SID_NAME_ALIAS; goto ok; } TALLOC_FREE(tmp_ctx); return false; } /* Try the explicit winbind lookup first, don't let it guess the * domain yet at this point yet. This comes later. */ if ((domain[0] != '\0') && (flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) && (winbind_lookup_name(domain, name, &sid, &type))) { goto ok; } if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_users_domain_name())) { if (lookup_unix_user_name(name, &sid)) { type = SID_NAME_USER; goto ok; } TALLOC_FREE(tmp_ctx); return false; } if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_groups_domain_name())) { if (lookup_unix_group_name(name, &sid)) { type = SID_NAME_DOM_GRP; goto ok; } TALLOC_FREE(tmp_ctx); return false; } if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) { TALLOC_FREE(tmp_ctx); return false; } /* Now the guesswork begins, we haven't been given an explicit * domain. Try the sequence as documented on * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp * November 27, 2005 */ /* 1. well-known names */ if ((flags & LOOKUP_NAME_WKN) && lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) { type = SID_NAME_WKN_GRP; goto ok; } /* 2. Builtin domain as such */ if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) && strequal(name, builtin_domain_name())) { /* Swap domain and name */ tmp = name; name = domain; domain = tmp; sid_copy(&sid, &global_sid_Builtin); type = SID_NAME_DOMAIN; goto ok; } /* 3. Account domain */ if ((flags & LOOKUP_NAME_DOMAIN) && strequal(name, get_global_sam_name())) { if (!secrets_fetch_domain_sid(name, &sid)) { DEBUG(3, ("Could not fetch my SID\n")); TALLOC_FREE(tmp_ctx); return false; } /* Swap domain and name */ tmp = name; name = domain; domain = tmp; type = SID_NAME_DOMAIN; goto ok; } /* 4. Primary domain */ if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC && strequal(name, lp_workgroup())) { if (!secrets_fetch_domain_sid(name, &sid)) { DEBUG(3, ("Could not fetch the domain SID\n")); TALLOC_FREE(tmp_ctx); return false; } /* Swap domain and name */ tmp = name; name = domain; domain = tmp; type = SID_NAME_DOMAIN; goto ok; } /* 5. Trusted domains as such, to me it looks as if members don't do this, tested an XP workstation in a NT domain -- vl */ if ((flags & LOOKUP_NAME_REMOTE) && IS_DC && (pdb_get_trusteddom_pw(name, NULL, &sid, NULL))) { /* Swap domain and name */ tmp = name; name = domain; domain = tmp; type = SID_NAME_DOMAIN; goto ok; } /* 6. Builtin aliases */ if ((flags & LOOKUP_NAME_BUILTIN) && lookup_builtin_name(name, &rid)) { domain = talloc_strdup(tmp_ctx, builtin_domain_name()); sid_copy(&sid, &global_sid_Builtin); sid_append_rid(&sid, rid); type = SID_NAME_ALIAS; goto ok; } /* 7. Local systems' SAM (DCs don't have a local SAM) */ /* 8. Primary SAM (On members, this is the domain) */ /* Both cases are done by looking at our passdb */ if ((flags & LOOKUP_NAME_DOMAIN) && lookup_global_sam_name(name, flags, &rid, &type)) { domain = talloc_strdup(tmp_ctx, get_global_sam_name()); sid_copy(&sid, get_global_sam_sid()); sid_append_rid(&sid, rid); goto ok; } /* Now our local possibilities are exhausted. */ if (!(flags & LOOKUP_NAME_REMOTE)) { TALLOC_FREE(tmp_ctx); return false; } /* If we are not a DC, we have to ask in our primary domain. Let * winbind do that. */ if (!IS_DC && (winbind_lookup_name(lp_workgroup(), name, &sid, &type))) { domain = talloc_strdup(tmp_ctx, lp_workgroup()); goto ok; } /* 9. Trusted domains */ /* If we're a DC we have to ask all trusted DC's. Winbind does not do * that (yet), but give it a chance. */ if (IS_DC && winbind_lookup_name("", name, &sid, &type)) { DOM_SID dom_sid; uint32 tmp_rid; enum lsa_SidType domain_type; if (type == SID_NAME_DOMAIN) { /* Swap name and type */ tmp = name; name = domain; domain = tmp; goto ok; } /* Here we have to cope with a little deficiency in the * winbind API: We have to ask it again for the name of the * domain it figured out itself. Maybe fix that later... */ sid_copy(&dom_sid, &sid); sid_split_rid(&dom_sid, &tmp_rid); if (!winbind_lookup_sid(tmp_ctx, &dom_sid, &domain, NULL, &domain_type) || (domain_type != SID_NAME_DOMAIN)) { DEBUG(2, ("winbind could not find the domain's name " "it just looked up for us\n")); TALLOC_FREE(tmp_ctx); return false; } goto ok; } /* 10. Don't translate */ /* 11. Ok, windows would end here. Samba has two more options: Unmapped users and unmapped groups */ if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_user_name(name, &sid)) { domain = talloc_strdup(tmp_ctx, unix_users_domain_name()); type = SID_NAME_USER; goto ok; } if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_group_name(name, &sid)) { domain = talloc_strdup(tmp_ctx, unix_groups_domain_name()); type = SID_NAME_DOM_GRP; goto ok; } /* * Ok, all possibilities tried. Fail. */ TALLOC_FREE(tmp_ctx); return false; ok: if ((domain == NULL) || (name == NULL)) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } /* * Hand over the results to the talloc context we've been given. */ if ((ret_name != NULL) && !(*ret_name = talloc_strdup(mem_ctx, name))) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } if (ret_domain != NULL) { char *tmp_dom; if (!(tmp_dom = talloc_strdup(mem_ctx, domain))) { DEBUG(0, ("talloc failed\n")); TALLOC_FREE(tmp_ctx); return false; } strupper_m(tmp_dom); *ret_domain = tmp_dom; } if (ret_sid != NULL) { sid_copy(ret_sid, &sid); } if (ret_type != NULL) { *ret_type = type; } TALLOC_FREE(tmp_ctx); return true; }
WERROR spoolss_create_default_secdesc(TALLOC_CTX *mem_ctx, struct spoolss_security_descriptor **secdesc) { struct security_ace ace[7]; /* max number of ace entries */ int i = 0; uint32_t sa; struct security_acl *psa = NULL; struct security_descriptor *psd = NULL; struct dom_sid adm_sid; size_t sd_size; /* Create an ACE where Everyone is allowed to print */ sa = PRINTER_ACE_PRINT; init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_CONTAINER_INHERIT); /* Add the domain admins group if we are a DC */ if ( IS_DC ) { struct dom_sid domadmins_sid; sid_compose(&domadmins_sid, get_global_sam_sid(), DOMAIN_RID_ADMINS); sa = PRINTER_ACE_FULL_CONTROL; init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_CONTAINER_INHERIT); } else if (secrets_fetch_domain_sid(lp_workgroup(), &adm_sid)) { sid_append_rid(&adm_sid, DOMAIN_RID_ADMINISTRATOR); sa = PRINTER_ACE_FULL_CONTROL; init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_CONTAINER_INHERIT); } /* add BUILTIN\Administrators as FULL CONTROL */ sa = PRINTER_ACE_FULL_CONTROL; init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_CONTAINER_INHERIT); /* add BUILTIN\Print Operators as FULL CONTROL */ sa = PRINTER_ACE_FULL_CONTROL; init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY); init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, SEC_ACE_FLAG_CONTAINER_INHERIT); /* Make the security descriptor owned by the BUILTIN\Administrators */ /* The ACL revision number in rpc_secdesc.h differs from the one created by NT when setting ACE entries in printer descriptors. NT4 complains about the property being edited by a NT5 machine. */ if ((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) != NULL) { psd = make_sec_desc(mem_ctx, SD_REVISION, SEC_DESC_SELF_RELATIVE, &global_sid_Builtin_Administrators, &global_sid_Builtin_Administrators, NULL, psa, &sd_size); } if (psd == NULL) { DEBUG(0,("construct_default_printer_sd: Failed to make SEC_DESC.\n")); return WERR_NOMEM; } DEBUG(4,("construct_default_printer_sdb: size = %u.\n", (unsigned int)sd_size)); *secdesc = psd; return WERR_OK; }