/* Lookup groups a user is a member of. */
static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
uint32 *p_num_groups, struct dom_sid **user_sids)
{
ADS_STRUCT *ads = NULL;
const char *attrs[] = {"tokenGroups", "primaryGroupID", NULL};
ADS_STATUS rc;
int count;
LDAPMessage *msg = NULL;
char *user_dn = NULL;
struct dom_sid *sids;
int i;
struct dom_sid primary_group;
uint32 primary_group_rid;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
uint32_t num_groups = 0;
DEBUG(3,("ads: lookup_usergroups\n"));
*p_num_groups = 0;
status = lookup_usergroups_cached(domain, mem_ctx, sid,
p_num_groups, user_sids);
if (NT_STATUS_IS_OK(status)) {
return NT_STATUS_OK;
}
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n",
domain->name));
/* Tell the cache manager not to remember this one */
return NT_STATUS_SYNCHRONIZATION_REQUIRED;
}
ads = ads_cached_connection(domain);
if (!ads) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
status = NT_STATUS_SERVER_DISABLED;
goto done;
}
rc = ads_search_retry_sid(ads, &msg, sid, attrs);
if (!ADS_ERR_OK(rc)) {
status = ads_ntstatus(rc);
DEBUG(1, ("lookup_usergroups(sid=%s) ads_search tokenGroups: "
"%s\n", sid_string_dbg(sid), ads_errstr(rc)));
goto done;
}
count = ads_count_replies(ads, msg);
if (count != 1) {
status = NT_STATUS_UNSUCCESSFUL;
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
"invalid number of results (count=%d)\n",
sid_string_dbg(sid), count));
goto done;
}
if (!msg) {
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
sid_string_dbg(sid)));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
}
user_dn = ads_get_dn(ads, mem_ctx, msg);
if (user_dn == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
DEBUG(1,("%s: No primary group for sid=%s !?\n",
domain->name, sid_string_dbg(sid)));
goto done;
}
sid_compose(&primary_group, &domain->sid, primary_group_rid);
count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
/* there must always be at least one group in the token,
unless we are talking to a buggy Win2k server */
/* actually this only happens when the machine account has no read
* permissions on the tokenGroup attribute - gd */
if (count == 0) {
/* no tokenGroups */
/* lookup what groups this user is a member of by DN search on
* "memberOf" */
status = lookup_usergroups_memberof(domain, mem_ctx, user_dn,
&primary_group,
&num_groups, user_sids);
*p_num_groups = num_groups;
if (NT_STATUS_IS_OK(status)) {
goto done;
}
/* lookup what groups this user is a member of by DN search on
* "member" */
status = lookup_usergroups_member(domain, mem_ctx, user_dn,
&primary_group,
&num_groups, user_sids);
*p_num_groups = num_groups;
goto done;
}
*user_sids = NULL;
num_groups = 0;
status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
&num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
for (i=0;i<count;i++) {
/* ignore Builtin groups from ADS - Guenther */
if (sid_check_is_in_builtin(&sids[i])) {
continue;
}
status = add_sid_to_array_unique(mem_ctx, &sids[i],
user_sids, &num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
*p_num_groups = (uint32)num_groups;
status = (*user_sids != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
DEBUG(3,("ads lookup_usergroups (tokenGroups) succeeded for sid=%s\n",
sid_string_dbg(sid)));
done:
TALLOC_FREE(user_dn);
ads_msgfree(ads, msg);
return status;
}
/* Query display info for a realm. This is the basic user list fn */
static NTSTATUS query_user_list(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_entries,
struct wbint_userinfo **pinfo)
{
ADS_STRUCT *ads = NULL;
const char *attrs[] = { "*", NULL };
int i, count;
ADS_STATUS rc;
LDAPMessage *res = NULL;
LDAPMessage *msg = NULL;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
*num_entries = 0;
DEBUG(3,("ads: query_user_list\n"));
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
domain->name));
return NT_STATUS_OK;
}
ads = ads_cached_connection(domain);
if (!ads) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
goto done;
}
rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
if (!ADS_ERR_OK(rc) || !res) {
DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
goto done;
}
count = ads_count_replies(ads, res);
if (count == 0) {
DEBUG(1,("query_user_list: No users found\n"));
goto done;
}
(*pinfo) = talloc_zero_array(mem_ctx, struct wbint_userinfo, count);
if (!*pinfo) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
count = 0;
for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
struct wbint_userinfo *info = &((*pinfo)[count]);
uint32 group;
uint32 atype;
if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
ds_atype_map(atype) != SID_NAME_USER) {
DEBUG(1,("Not a user account? atype=0x%x\n", atype));
continue;
}
info->acct_name = ads_pull_username(ads, mem_ctx, msg);
info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
info->homedir = NULL;
info->shell = NULL;
info->primary_gid = (gid_t)-1;
if (!ads_pull_sid(ads, msg, "objectSid",
&info->user_sid)) {
DEBUG(1, ("No sid for %s !?\n", info->acct_name));
continue;
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
DEBUG(1, ("No primary group for %s !?\n",
info->acct_name));
continue;
}
sid_compose(&info->group_sid, &domain->sid, group);
count += 1;
}
(*num_entries) = count;
ads_msgfree(ads, res);
for (i=0; i<count; i++) {
struct wbint_userinfo *info = &((*pinfo)[i]);
const char *gecos = NULL;
gid_t primary_gid = (gid_t)-1;
status = nss_get_info_cached(domain, &info->user_sid, mem_ctx,
&info->homedir, &info->shell,
&gecos, &primary_gid);
if (!NT_STATUS_IS_OK(status)) {
/*
* Deliberately ignore this error, there might be more
* users to fill
*/
continue;
}
if (gecos != NULL) {
info->full_name = gecos;
}
info->primary_gid = primary_gid;
}
status = NT_STATUS_OK;
DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
done:
return status;
}
/* Lookup user information from a rid */
static NTSTATUS query_user(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
struct wbint_userinfo *info)
{
ADS_STRUCT *ads = NULL;
const char *attrs[] = { "*", NULL };
ADS_STATUS rc;
int count;
LDAPMessage *msg = NULL;
char *ldap_exp;
char *sidstr;
uint32 group_rid;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
struct netr_SamInfo3 *user = NULL;
gid_t gid = -1;
int ret;
char *ads_name;
DEBUG(3,("ads: query_user\n"));
info->homedir = NULL;
info->shell = NULL;
/* try netsamlogon cache first */
if (winbindd_use_cache() && (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
{
DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
sid_string_dbg(sid)));
sid_compose(&info->user_sid, &domain->sid, user->base.rid);
sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
nss_get_info_cached( domain, sid, mem_ctx,
&info->homedir, &info->shell, &info->full_name,
&gid );
info->primary_gid = gid;
TALLOC_FREE(user);
return NT_STATUS_OK;
}
if ( !winbindd_can_contact_domain(domain)) {
DEBUG(8,("query_user: No incoming trust from domain %s\n",
domain->name));
/* We still need to generate some basic information
about the user even if we cannot contact the
domain. Most of this stuff we can deduce. */
sid_copy( &info->user_sid, sid );
/* Assume "Domain Users" for the primary group */
sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
/* Try to fill in what the nss_info backend can do */
nss_get_info_cached( domain, sid, mem_ctx,
&info->homedir, &info->shell, &info->full_name,
&gid);
info->primary_gid = gid;
return NT_STATUS_OK;
}
/* no cache...do the query */
if ( (ads = ads_cached_connection(domain)) == NULL ) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
return NT_STATUS_SERVER_DISABLED;
}
sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), sid);
ret = asprintf(&ldap_exp, "(objectSid=%s)", sidstr);
TALLOC_FREE(sidstr);
if (ret == -1) {
return NT_STATUS_NO_MEMORY;
}
rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
SAFE_FREE(ldap_exp);
if (!ADS_ERR_OK(rc) || !msg) {
DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
sid_string_dbg(sid), ads_errstr(rc)));
return ads_ntstatus(rc);
}
count = ads_count_replies(ads, msg);
if (count != 1) {
DEBUG(1,("query_user(sid=%s): Not found\n",
sid_string_dbg(sid)));
ads_msgfree(ads, msg);
return NT_STATUS_NO_SUCH_USER;
}
info->acct_name = ads_pull_username(ads, mem_ctx, msg);
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
DEBUG(1,("No primary group for %s !?\n",
sid_string_dbg(sid)));
ads_msgfree(ads, msg);
return NT_STATUS_NO_SUCH_USER;
}
sid_copy(&info->user_sid, sid);
sid_compose(&info->group_sid, &domain->sid, group_rid);
/*
* We have to fetch the "name" attribute before doing the
* nss_get_info_cached call. nss_get_info_cached might destroy
* the ads struct, potentially invalidating the ldap message.
*/
ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
ads_msgfree(ads, msg);
msg = NULL;
status = nss_get_info_cached( domain, sid, mem_ctx,
&info->homedir, &info->shell, &info->full_name,
&gid);
info->primary_gid = gid;
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("nss_get_info_cached failed: %s\n",
nt_errstr(status)));
return status;
}
if (info->full_name == NULL) {
info->full_name = ads_name;
} else {
TALLOC_FREE(ads_name);
}
status = NT_STATUS_OK;
DEBUG(3,("ads query_user gave %s\n", info->acct_name));
return NT_STATUS_OK;
}
/*****************************************************************************
For idmap conversion: convert one record to new format
Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
instead of the SID.
*****************************************************************************/
static int convert_fn(struct db_record *rec, void *private_data)
{
struct winbindd_domain *domain;
char *p;
NTSTATUS status;
struct dom_sid sid;
uint32 rid;
fstring keystr;
fstring dom_name;
TDB_DATA key;
TDB_DATA key2;
TDB_DATA value;
struct convert_fn_state *s = (struct convert_fn_state *)private_data;
key = dbwrap_record_get_key(rec);
DEBUG(10,("Converting %s\n", (const char *)key.dptr));
p = strchr((const char *)key.dptr, '/');
if (!p)
return 0;
*p = 0;
fstrcpy(dom_name, (const char *)key.dptr);
*p++ = '/';
domain = find_domain_from_name(dom_name);
if (domain == NULL) {
/* We must delete the old record. */
DEBUG(0,("Unable to find domain %s\n", dom_name ));
DEBUG(0,("deleting record %s\n", (const char *)key.dptr ));
status = dbwrap_record_delete(rec);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Unable to delete record %s:%s\n",
(const char *)key.dptr,
nt_errstr(status)));
s->failed = true;
return -1;
}
return 0;
}
rid = atoi(p);
sid_compose(&sid, &domain->sid, rid);
sid_to_fstring(keystr, &sid);
key2 = string_term_tdb_data(keystr);
value = dbwrap_record_get_value(rec);
status = dbwrap_store(s->db, key2, value, TDB_INSERT);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Unable to add record %s:%s\n",
(const char *)key2.dptr,
nt_errstr(status)));
s->failed = true;
return -1;
}
status = dbwrap_store(s->db, value, key2, TDB_REPLACE);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Unable to update record %s:%s\n",
(const char *)value.dptr,
nt_errstr(status)));
s->failed = true;
return -1;
}
status = dbwrap_record_delete(rec);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Unable to delete record %s:%s\n",
(const char *)key.dptr,
nt_errstr(status)));
s->failed = true;
return -1;
}
return 0;
}
NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
const struct netr_SamInfo3 *info3,
struct dom_sid **user_sids,
uint32_t *num_user_sids,
bool include_user_group_rid)
{
NTSTATUS status;
struct dom_sid sid;
struct dom_sid *sid_array = NULL;
uint32_t num_sids = 0;
int i;
if (include_user_group_rid) {
if (!sid_compose(&sid, info3->base.domain_sid, info3->base.rid)) {
DEBUG(3, ("could not compose user SID from rid 0x%x\n",
info3->base.rid));
return NT_STATUS_INVALID_PARAMETER;
}
status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not append user SID from rid 0x%x\n",
info3->base.rid));
return status;
}
}
if (!sid_compose(&sid, info3->base.domain_sid, info3->base.primary_gid)) {
DEBUG(3, ("could not compose group SID from rid 0x%x\n",
info3->base.primary_gid));
return NT_STATUS_INVALID_PARAMETER;
}
status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not append group SID from rid 0x%x\n",
info3->base.rid));
return status;
}
for (i = 0; i < info3->base.groups.count; i++) {
/* Don't add the primary group sid twice. */
if (info3->base.primary_gid == info3->base.groups.rids[i].rid) {
continue;
}
if (!sid_compose(&sid, info3->base.domain_sid,
info3->base.groups.rids[i].rid)) {
DEBUG(3, ("could not compose SID from additional group "
"rid 0x%x\n", info3->base.groups.rids[i].rid));
return NT_STATUS_INVALID_PARAMETER;
}
status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not append SID from additional group "
"rid 0x%x\n", info3->base.groups.rids[i].rid));
return status;
}
}
/* Copy 'other' sids. We need to do sid filtering here to
prevent possible elevation of privileges. See:
http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
*/
for (i = 0; i < info3->sidcount; i++) {
status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
&sid_array, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("could not add SID to array: %s\n",
sid_string_dbg(info3->sids[i].sid)));
return status;
}
}
*user_sids = sid_array;
*num_user_sids = num_sids;
return NT_STATUS_OK;
}
bool gid_to_unix_groups_sid(gid_t gid, DOM_SID *sid)
{
return sid_compose(sid, &global_sid_Unix_Groups, gid);
}
/* Lookup group membership given a rid. */
static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *group_sid, uint32 *num_names,
DOM_SID **sid_mem, char ***names,
uint32 **name_types)
{
size_t i, num_members, num_mapped;
uint32 *rids;
NTSTATUS result;
const DOM_SID **sids;
struct lsa_dom_info *lsa_domains;
struct lsa_name_info *lsa_names;
TALLOC_CTX *tmp_ctx;
if (!sid_check_is_in_our_domain(group_sid)) {
/* There's no groups, only aliases in BUILTIN */
return NT_STATUS_NO_SUCH_GROUP;
}
if (!(tmp_ctx = talloc_init("lookup_groupmem"))) {
return NT_STATUS_NO_MEMORY;
}
result = pdb_enum_group_members(tmp_ctx, group_sid, &rids,
&num_members);
if (!NT_STATUS_IS_OK(result)) {
TALLOC_FREE(tmp_ctx);
return result;
}
if (num_members == 0) {
*num_names = 0;
*sid_mem = NULL;
*names = NULL;
*name_types = NULL;
TALLOC_FREE(tmp_ctx);
return NT_STATUS_OK;
}
*sid_mem = TALLOC_ARRAY(mem_ctx, DOM_SID, num_members);
*names = TALLOC_ARRAY(mem_ctx, char *, num_members);
*name_types = TALLOC_ARRAY(mem_ctx, uint32, num_members);
sids = TALLOC_ARRAY(tmp_ctx, const DOM_SID *, num_members);
if (((*sid_mem) == NULL) || ((*names) == NULL) ||
((*name_types) == NULL) || (sids == NULL)) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
/*
* Prepare an array of sid pointers for the lookup_sids calling
* convention.
*/
for (i=0; i<num_members; i++) {
DOM_SID *sid = &((*sid_mem)[i]);
if (!sid_compose(sid, &domain->sid, rids[i])) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_INTERNAL_ERROR;
}
sids[i] = sid;
}
result = lookup_sids(tmp_ctx, num_members, sids, 1,
&lsa_domains, &lsa_names);
if (!NT_STATUS_IS_OK(result)) {
TALLOC_FREE(tmp_ctx);
return result;
}
num_mapped = 0;
for (i=0; i<num_members; i++) {
if (lsa_names[i].type != SID_NAME_USER) {
DEBUG(2, ("Got %s as group member -- ignoring\n",
sid_type_lookup(lsa_names[i].type)));
continue;
}
if (!((*names)[i] = talloc_strdup((*names),
lsa_names[i].name))) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
(*name_types)[i] = lsa_names[i].type;
num_mapped += 1;
}
*num_names = num_mapped;
TALLOC_FREE(tmp_ctx);
return NT_STATUS_OK;
}
const DOM_SID *pdb_get_group_sid(struct samu *sampass)
{
DOM_SID *gsid;
struct passwd *pwd;
/* Return the cached group SID if we have that */
if ( sampass->group_sid ) {
return sampass->group_sid;
}
/* generate the group SID from the user's primary Unix group */
if ( !(gsid = TALLOC_P( sampass, DOM_SID )) ) {
return NULL;
}
/* No algorithmic mapping, meaning that we have to figure out the
primary group SID according to group mapping and the user SID must
be a newly allocated one. We rely on the user's Unix primary gid.
We have no choice but to fail if we can't find it. */
if ( sampass->unix_pw ) {
pwd = sampass->unix_pw;
} else {
pwd = Get_Pwnam_alloc( sampass, pdb_get_username(sampass) );
}
if ( !pwd ) {
DEBUG(0,("pdb_get_group_sid: Failed to find Unix account for %s\n", pdb_get_username(sampass) ));
return NULL;
}
if ( pdb_gid_to_sid(pwd->pw_gid, gsid) ) {
enum lsa_SidType type = SID_NAME_UNKNOWN;
TALLOC_CTX *mem_ctx = talloc_init("pdb_get_group_sid");
bool lookup_ret;
if (!mem_ctx) {
return NULL;
}
/* Now check that it's actually a domain group and not something else */
lookup_ret = lookup_sid(mem_ctx, gsid, NULL, NULL, &type);
TALLOC_FREE( mem_ctx );
if ( lookup_ret && (type == SID_NAME_DOM_GRP) ) {
sampass->group_sid = gsid;
return sampass->group_sid;
}
DEBUG(3, ("Primary group for user %s is a %s and not a domain group\n",
pwd->pw_name, sid_type_lookup(type)));
}
/* Just set it to the 'Domain Users' RID of 512 which will
always resolve to a name */
sid_compose(gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
sampass->group_sid = gsid;
return sampass->group_sid;
}
static int net_groupmap_add(struct net_context *c, int argc, const char **argv)
{
DOM_SID sid;
fstring ntgroup = "";
fstring unixgrp = "";
fstring string_sid = "";
fstring type = "";
fstring ntcomment = "";
enum lsa_SidType sid_type = SID_NAME_DOM_GRP;
uint32 rid = 0;
gid_t gid;
int i;
GROUP_MAP map;
const char *name_type;
const char add_usage_str[] = N_("net groupmap add "
"{rid=<int>|sid=<string>}"
" unixgroup=<string> "
"[type=<domain|local|builtin>] "
"[ntgroup=<string>] "
"[comment=<string>]");
ZERO_STRUCT(map);
/* Default is domain group. */
map.sid_name_use = SID_NAME_DOM_GRP;
name_type = "domain group";
if (c->display_usage) {
d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
return 0;
}
/* get the options */
for ( i=0; i<argc; i++ ) {
if ( !StrnCaseCmp(argv[i], "rid", strlen("rid")) ) {
rid = get_int_param(argv[i]);
if ( rid < DOMAIN_GROUP_RID_ADMINS ) {
d_fprintf(stderr,
_("RID must be greater than %d\n"),
(uint32)DOMAIN_GROUP_RID_ADMINS-1);
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) {
fstrcpy( unixgrp, get_string_param( argv[i] ) );
if ( !unixgrp[0] ) {
d_fprintf(stderr,_( "must supply a name\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
fstrcpy( ntgroup, get_string_param( argv[i] ) );
if ( !ntgroup[0] ) {
d_fprintf(stderr, _("must supply a name\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
fstrcpy( string_sid, get_string_param( argv[i] ) );
if ( !string_sid[0] ) {
d_fprintf(stderr, _("must supply a SID\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) {
fstrcpy( ntcomment, get_string_param( argv[i] ) );
if ( !ntcomment[0] ) {
d_fprintf(stderr,
_("must supply a comment string\n"));
return -1;
}
}
else if ( !StrnCaseCmp(argv[i], "type", strlen("type")) ) {
fstrcpy( type, get_string_param( argv[i] ) );
switch ( type[0] ) {
case 'b':
case 'B':
sid_type = SID_NAME_WKN_GRP;
name_type = "wellknown group";
break;
case 'd':
case 'D':
sid_type = SID_NAME_DOM_GRP;
name_type = "domain group";
break;
case 'l':
case 'L':
sid_type = SID_NAME_ALIAS;
name_type = "alias (local) group";
break;
default:
d_fprintf(stderr,
_("unknown group type %s\n"),
type);
return -1;
}
}
else {
d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
return -1;
}
}
if ( !unixgrp[0] ) {
d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
return -1;
}
if ( (gid = nametogid(unixgrp)) == (gid_t)-1 ) {
d_fprintf(stderr, _("Can't lookup UNIX group %s\n"), unixgrp);
return -1;
}
{
if (pdb_getgrgid(&map, gid)) {
d_printf(_("Unix group %s already mapped to SID %s\n"),
unixgrp, sid_string_tos(&map.sid));
return -1;
}
}
if ( (rid == 0) && (string_sid[0] == '\0') ) {
d_printf(_("No rid or sid specified, choosing a RID\n"));
if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
if (!pdb_new_rid(&rid)) {
d_printf(_("Could not get new RID\n"));
}
} else {
rid = algorithmic_pdb_gid_to_group_rid(gid);
}
d_printf(_("Got RID %d\n"), rid);
}
/* append the rid to our own domain/machine SID if we don't have a full SID */
if ( !string_sid[0] ) {
sid_compose(&sid, get_global_sam_sid(), rid);
sid_to_fstring(string_sid, &sid);
}
if (!ntcomment[0]) {
switch (sid_type) {
case SID_NAME_WKN_GRP:
fstrcpy(ntcomment, "Wellknown Unix group");
break;
case SID_NAME_DOM_GRP:
fstrcpy(ntcomment, "Domain Unix group");
break;
case SID_NAME_ALIAS:
fstrcpy(ntcomment, "Local Unix group");
break;
default:
fstrcpy(ntcomment, "Unix group");
break;
}
}
if (!ntgroup[0] )
fstrcpy( ntgroup, unixgrp );
if (!NT_STATUS_IS_OK(add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment))) {
d_fprintf(stderr, _("adding entry for group %s failed!\n"), ntgroup);
return -1;
}
d_printf(_("Successfully added group %s to the mapping db as a %s\n"),
ntgroup, name_type);
return 0;
}
static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
struct netr_SamInfo3 *info3)
{
uint32_t i = 0;
const struct PAC_DOMAIN_GROUP_MEMBERSHIP *rg = NULL;
if (logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS) {
rg = &logon_info->resource_groups;
}
if (rg == NULL) {
return NT_STATUS_OK;
}
if (rg->domain_sid == NULL) {
DEBUG(10, ("Missing Resource Group Domain SID\n"));
return NT_STATUS_INVALID_PARAMETER;
}
/* The IDL layer would be a better place to check this, but to
* guard the integer addition below, we double-check */
if (rg->groups.count > 65535) {
DEBUG(10, ("Too much Resource Group RIDs %u\n",
(unsigned)rg->groups.count));
return NT_STATUS_INVALID_PARAMETER;
}
/*
* If there are any resource groups (SID Compression) add
* them to the extra sids portion of the info3 in the PAC.
*
* This makes the info3 look like it would if we got the info
* from the DC rather than the PAC.
*/
/*
* Construct a SID for each RID in the list and then append it
* to the info3.
*/
for (i = 0; i < rg->groups.count; i++) {
NTSTATUS status;
struct dom_sid new_sid;
uint32_t attributes = rg->groups.rids[i].attributes;
sid_compose(&new_sid,
rg->domain_sid,
rg->groups.rids[i].rid);
DEBUG(10, ("Adding SID %s to extra SIDS\n",
sid_string_dbg(&new_sid)));
status = append_netr_SidAttr(info3, &info3->sids,
&info3->sidcount,
&new_sid,
attributes);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
sid_string_dbg(&new_sid),
nt_errstr(status)));
return status;
}
}
return NT_STATUS_OK;
}
NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
const char *unix_username,
const struct passwd *pwd,
struct netr_SamInfo3 **pinfo3,
struct extra_auth_info *extra)
{
struct netr_SamInfo3 *info3;
NTSTATUS status;
TALLOC_CTX *tmp_ctx;
const char *domain_name = NULL;
const char *user_name = NULL;
struct dom_sid domain_sid;
struct dom_sid user_sid;
struct dom_sid group_sid;
enum lsa_SidType type;
uint32_t num_sids = 0;
struct dom_sid *user_sids = NULL;
bool is_null;
bool ok;
tmp_ctx = talloc_stackframe();
ok = lookup_name_smbconf(tmp_ctx,
unix_username,
LOOKUP_NAME_ALL,
&domain_name,
&user_name,
&user_sid,
&type);
if (!ok) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
if (type != SID_NAME_USER) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
ok = winbind_lookup_usersids(tmp_ctx,
&user_sid,
&num_sids,
&user_sids);
/* Check if winbind is running */
if (ok) {
/*
* Winbind is running and the first element of the user_sids
* is the primary group.
*/
if (num_sids > 0) {
group_sid = user_sids[0];
}
} else {
/*
* Winbind is not running, try to create the group_sid from the
* passwd group id.
*/
/*
* This can lead to a primary group of S-1-22-2-XX which
* will be rejected by other Samba code.
*/
gid_to_sid(&group_sid, pwd->pw_gid);
}
/*
* If we are a unix group, or a wellknown/builtin alias,
* set the group_sid to the
* 'Domain Users' RID of 513 which will always resolve to a
* name.
*/
if (sid_check_is_in_unix_groups(&group_sid) ||
sid_check_is_in_builtin(&group_sid) ||
sid_check_is_in_wellknown_domain(&group_sid)) {
if (sid_check_is_in_unix_users(&user_sid)) {
sid_compose(&group_sid,
get_global_sam_sid(),
DOMAIN_RID_USERS);
} else {
sid_copy(&domain_sid, &user_sid);
sid_split_rid(&domain_sid, NULL);
sid_compose(&group_sid,
&domain_sid,
DOMAIN_RID_USERS);
}
}
/* Make sure we have a valid group sid */
is_null = is_null_sid(&group_sid);
if (is_null) {
status = NT_STATUS_NO_SUCH_USER;
goto done;
}
/* Construct a netr_SamInfo3 from the information we have */
info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3);
if (!info3) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
info3->base.account_name.string = talloc_strdup(info3, unix_username);
if (info3->base.account_name.string == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
ZERO_STRUCT(domain_sid);
status = SamInfo3_handle_sids(unix_username,
&user_sid,
&group_sid,
info3,
&domain_sid,
extra);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
if (info3->base.domain_sid == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
ok = sid_peek_check_rid(&domain_sid, &group_sid,
&info3->base.primary_gid);
if (!ok) {
DEBUG(1, ("The primary group domain sid(%s) does not "
"match the domain sid(%s) for %s(%s)\n",
sid_string_dbg(&group_sid),
sid_string_dbg(&domain_sid),
unix_username,
sid_string_dbg(&user_sid)));
status = NT_STATUS_INVALID_SID;
goto done;
}
info3->base.acct_flags = ACB_NORMAL;
if (num_sids) {
status = group_sids_to_info3(info3, user_sids, num_sids);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
*pinfo3 = talloc_steal(mem_ctx, info3);
status = NT_STATUS_OK;
done:
talloc_free(tmp_ctx);
return status;
}
/* Query display info for a domain */
NTSTATUS rpc_query_user_list(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *samr_pipe,
struct policy_handle *samr_policy,
const struct dom_sid *domain_sid,
uint32_t *pnum_info,
struct wbint_userinfo **pinfo)
{
struct wbint_userinfo *info = NULL;
uint32_t num_info = 0;
uint32_t loop_count = 0;
uint32_t start_idx = 0;
uint32_t i = 0;
NTSTATUS status, result;
struct dcerpc_binding_handle *b = samr_pipe->binding_handle;
*pnum_info = 0;
do {
uint32_t j;
uint32_t num_dom_users;
uint32_t max_entries, max_size;
uint32_t total_size, returned_size;
union samr_DispInfo disp_info;
dcerpc_get_query_dispinfo_params(loop_count,
&max_entries,
&max_size);
status = dcerpc_samr_QueryDisplayInfo(b,
mem_ctx,
samr_policy,
1, /* level */
start_idx,
max_entries,
max_size,
&total_size,
&returned_size,
&disp_info,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (!NT_STATUS_IS_OK(result)) {
if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
return result;
}
}
/* increment required start query values */
start_idx += disp_info.info1.count;
loop_count++;
num_dom_users = disp_info.info1.count;
num_info += num_dom_users;
info = talloc_realloc(mem_ctx,
info,
struct wbint_userinfo,
num_info);
if (info == NULL) {
return NT_STATUS_NO_MEMORY;
}
for (j = 0; j < num_dom_users; i++, j++) {
uint32_t rid = disp_info.info1.entries[j].rid;
struct samr_DispEntryGeneral *src;
struct wbint_userinfo *dst;
src = &(disp_info.info1.entries[j]);
dst = &(info[i]);
dst->acct_name = talloc_strdup(info,
src->account_name.string);
if (dst->acct_name == NULL) {
return NT_STATUS_NO_MEMORY;
}
dst->full_name = talloc_strdup(info, src->full_name.string);
if ((src->full_name.string != NULL) &&
(dst->full_name == NULL))
{
return NT_STATUS_NO_MEMORY;
}
dst->homedir = NULL;
dst->shell = NULL;
dst->primary_gid = (gid_t)-1;
sid_compose(&dst->user_sid, domain_sid, rid);
/* For the moment we set the primary group for
every user to be the Domain Users group.
There are serious problems with determining
the actual primary group for large domains.
This should really be made into a 'winbind
force group' smb.conf parameter or
something like that. */
sid_compose(&dst->group_sid, domain_sid,
DOMAIN_RID_USERS);
}
} while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
*pnum_info = num_info;
*pinfo = info;
return NT_STATUS_OK;
}
/* Lookup user information from a rid */
static NTSTATUS query_user(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *sid,
struct wbint_userinfo *info)
{
ADS_STRUCT *ads = NULL;
const char *attrs[] = { "*", NULL };
ADS_STATUS rc;
int count;
LDAPMessage *msg = NULL;
char *ldap_exp;
char *sidstr;
uint32 group_rid;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
struct netr_SamInfo3 *user = NULL;
gid_t gid;
DEBUG(3,("ads: query_user\n"));
info->homedir = NULL;
info->shell = NULL;
info->primary_gid = (gid_t)-1;
/* try netsamlogon cache first */
if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL )
{
DEBUG(5,("query_user: Cache lookup succeeded for %s\n",
sid_string_dbg(sid)));
sid_compose(&info->user_sid, &domain->sid, user->base.rid);
sid_compose(&info->group_sid, &domain->sid, user->base.primary_gid);
info->acct_name = talloc_strdup(mem_ctx, user->base.account_name.string);
info->full_name = talloc_strdup(mem_ctx, user->base.full_name.string);
nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
&info->homedir, &info->shell, &info->full_name,
&gid );
info->primary_gid = gid;
TALLOC_FREE(user);
return NT_STATUS_OK;
}
if ( !winbindd_can_contact_domain(domain)) {
DEBUG(8,("query_user: No incoming trust from domain %s\n",
domain->name));
/* We still need to generate some basic information
about the user even if we cannot contact the
domain. Most of this stuff we can deduce. */
sid_copy( &info->user_sid, sid );
/* Assume "Domain Users" for the primary group */
sid_compose(&info->group_sid, &domain->sid, DOMAIN_GROUP_RID_USERS );
/* Try to fill in what the nss_info backend can do */
nss_get_info_cached( domain, sid, mem_ctx, NULL, NULL,
&info->homedir, &info->shell, &info->full_name,
&gid);
info->primary_gid = gid;
status = NT_STATUS_OK;
goto done;
}
/* no cache...do the query */
if ( (ads = ads_cached_connection(domain)) == NULL ) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
goto done;
}
sidstr = sid_binstring(talloc_tos(), sid);
if (asprintf(&ldap_exp, "(objectSid=%s)", sidstr) == -1) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
free(ldap_exp);
TALLOC_FREE(sidstr);
if (!ADS_ERR_OK(rc) || !msg) {
DEBUG(1,("query_user(sid=%s) ads_search: %s\n",
sid_string_dbg(sid), ads_errstr(rc)));
goto done;
}
count = ads_count_replies(ads, msg);
if (count != 1) {
DEBUG(1,("query_user(sid=%s): Not found\n",
sid_string_dbg(sid)));
goto done;
}
info->acct_name = ads_pull_username(ads, mem_ctx, msg);
nss_get_info_cached( domain, sid, mem_ctx, ads, msg,
&info->homedir, &info->shell, &info->full_name,
&gid);
info->primary_gid = gid;
if (info->full_name == NULL) {
info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
DEBUG(1,("No primary group for %s !?\n",
sid_string_dbg(sid)));
goto done;
}
sid_copy(&info->user_sid, sid);
sid_compose(&info->group_sid, &domain->sid, group_rid);
status = NT_STATUS_OK;
DEBUG(3,("ads query_user gave %s\n", info->acct_name));
done:
if (msg)
ads_msgfree(ads, msg);
return status;
}
/* Query display info for a realm. This is the basic user list fn */
static NTSTATUS query_user_list(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_entries,
struct wbint_userinfo **info)
{
ADS_STRUCT *ads = NULL;
const char *attrs[] = { "*", NULL };
int i, count;
ADS_STATUS rc;
LDAPMessage *res = NULL;
LDAPMessage *msg = NULL;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
*num_entries = 0;
DEBUG(3,("ads: query_user_list\n"));
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
domain->name));
return NT_STATUS_OK;
}
ads = ads_cached_connection(domain);
if (!ads) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
goto done;
}
rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
if (!ADS_ERR_OK(rc) || !res) {
DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
goto done;
}
count = ads_count_replies(ads, res);
if (count == 0) {
DEBUG(1,("query_user_list: No users found\n"));
goto done;
}
(*info) = TALLOC_ZERO_ARRAY(mem_ctx, struct wbint_userinfo, count);
if (!*info) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
i = 0;
for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
const char *name;
const char *gecos = NULL;
const char *homedir = NULL;
const char *shell = NULL;
uint32 group;
uint32 atype;
DOM_SID user_sid;
gid_t primary_gid = (gid_t)-1;
if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
ds_atype_map(atype) != SID_NAME_USER) {
DEBUG(1,("Not a user account? atype=0x%x\n", atype));
continue;
}
name = ads_pull_username(ads, mem_ctx, msg);
if ( ads_pull_sid( ads, msg, "objectSid", &user_sid ) ) {
status = nss_get_info_cached( domain, &user_sid, mem_ctx,
ads, msg, &homedir, &shell, &gecos,
&primary_gid );
}
if (gecos == NULL) {
gecos = ads_pull_string(ads, mem_ctx, msg, "name");
}
if (!ads_pull_sid(ads, msg, "objectSid",
&(*info)[i].user_sid)) {
DEBUG(1,("No sid for %s !?\n", name));
continue;
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group)) {
DEBUG(1,("No primary group for %s !?\n", name));
continue;
}
(*info)[i].acct_name = name;
(*info)[i].full_name = gecos;
(*info)[i].homedir = homedir;
(*info)[i].shell = shell;
(*info)[i].primary_gid = primary_gid;
sid_compose(&(*info)[i].group_sid, &domain->sid, group);
i++;
}
(*num_entries) = i;
status = NT_STATUS_OK;
DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries)));
done:
if (res)
ads_msgfree(ads, res);
return status;
}
NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
struct auth_serversupplied_info **server_info,
struct netr_SamInfo3 *info3)
{
static const char zeros[16] = {0, };
NTSTATUS nt_status = NT_STATUS_OK;
char *found_username = NULL;
const char *nt_domain;
const char *nt_username;
struct dom_sid user_sid;
struct dom_sid group_sid;
bool username_was_mapped;
struct passwd *pwd;
struct auth_serversupplied_info *result;
/*
Here is where we should check the list of
trusted domains, and verify that the SID
matches.
*/
if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
return NT_STATUS_INVALID_PARAMETER;
}
if (!sid_compose(&group_sid, info3->base.domain_sid,
info3->base.primary_gid)) {
return NT_STATUS_INVALID_PARAMETER;
}
nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
if (!nt_username) {
/* If the server didn't give us one, just use the one we sent
* them */
nt_username = sent_nt_username;
}
nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
if (!nt_domain) {
/* If the server didn't give us one, just use the one we sent
* them */
nt_domain = domain;
}
/* If getpwnam() fails try the add user script (2.2.x behavior).
We use the _unmapped_ username here in an attempt to provide
consistent username mapping behavior between kerberos and NTLM[SSP]
authentication in domain mode security. I.E. Username mapping
should be applied to the fully qualified username
(e.g. DOMAIN\user) and not just the login name. Yes this means we
called map_username() unnecessarily in make_user_info_map() but
that is how the current code is designed. Making the change here
is the least disruptive place. -- jerry */
/* this call will try to create the user if necessary */
nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
&found_username, &pwd,
&username_was_mapped);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
result = make_server_info(NULL);
if (result == NULL) {
DEBUG(4, ("make_server_info failed!\n"));
return NT_STATUS_NO_MEMORY;
}
result->unix_name = talloc_strdup(result, found_username);
result->sanitized_username = sanitize_username(result,
result->unix_name);
if (result->sanitized_username == NULL) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
/* copy in the info3 */
result->info3 = copy_netr_SamInfo3(result, info3);
if (result->info3 == NULL) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
/* Fill in the unix info we found on the way */
result->utok.uid = pwd->pw_uid;
result->utok.gid = pwd->pw_gid;
/* ensure we are never given NULL session keys */
if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
result->user_session_key = data_blob_null;
} else {
result->user_session_key = data_blob_talloc(
result, info3->base.key.key,
sizeof(info3->base.key.key));
}
if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
result->lm_session_key = data_blob_null;
} else {
result->lm_session_key = data_blob_talloc(
result, info3->base.LMSessKey.key,
sizeof(info3->base.LMSessKey.key));
}
result->nss_token |= username_was_mapped;
*server_info = result;
return NT_STATUS_OK;
}
static int net_groupmap_set(struct net_context *c, int argc, const char **argv)
{
const char *ntgroup = NULL;
struct group *grp = NULL;
GROUP_MAP map;
bool have_map = false;
if ((argc < 1) || (argc > 2) || c->display_usage) {
d_printf("%s\n%s",
_("Usage:"),
_(" net groupmap set \"NT Group\" "
"[\"unix group\"] [-C \"comment\"] [-L] [-D]\n"));
return -1;
}
if ( c->opt_localgroup && c->opt_domaingroup ) {
d_printf(_("Can only specify -L or -D, not both\n"));
return -1;
}
ntgroup = argv[0];
if (argc == 2) {
grp = getgrnam(argv[1]);
if (grp == NULL) {
d_fprintf(stderr, _("Could not find unix group %s\n"),
argv[1]);
return -1;
}
}
have_map = pdb_getgrnam(&map, ntgroup);
if (!have_map) {
DOM_SID sid;
have_map = ( (strncmp(ntgroup, "S-", 2) == 0) &&
string_to_sid(&sid, ntgroup) &&
pdb_getgrsid(&map, sid) );
}
if (!have_map) {
/* Ok, add it */
if (grp == NULL) {
d_fprintf(stderr,
_("Could not find group mapping for %s\n"),
ntgroup);
return -1;
}
map.gid = grp->gr_gid;
if (c->opt_rid == 0) {
if ( pdb_capabilities() & PDB_CAP_STORE_RIDS ) {
if ( !pdb_new_rid((uint32*)&c->opt_rid) ) {
d_fprintf( stderr,
_("Could not allocate new RID\n"));
return -1;
}
} else {
c->opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid);
}
}
sid_compose(&map.sid, get_global_sam_sid(), c->opt_rid);
map.sid_name_use = SID_NAME_DOM_GRP;
fstrcpy(map.nt_name, ntgroup);
fstrcpy(map.comment, "");
if (!NT_STATUS_IS_OK(pdb_add_group_mapping_entry(&map))) {
d_fprintf(stderr,
_("Could not add mapping entry for %s\n"),
ntgroup);
return -1;
}
}
/* Now we have a mapping entry, update that stuff */
if ( c->opt_localgroup || c->opt_domaingroup ) {
if (map.sid_name_use == SID_NAME_WKN_GRP) {
d_fprintf(stderr,
_("Can't change type of the BUILTIN "
"group %s\n"),
map.nt_name);
return -1;
}
}
if (c->opt_localgroup)
map.sid_name_use = SID_NAME_ALIAS;
if (c->opt_domaingroup)
map.sid_name_use = SID_NAME_DOM_GRP;
/* The case (opt_domaingroup && opt_localgroup) was tested for above */
if ((c->opt_comment != NULL) && (strlen(c->opt_comment) > 0)) {
fstrcpy(map.comment, c->opt_comment);
}
if ((c->opt_newntname != NULL) && (strlen(c->opt_newntname) > 0)) {
fstrcpy(map.nt_name, c->opt_newntname);
}
if (grp != NULL)
map.gid = grp->gr_gid;
if (!NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map))) {
d_fprintf(stderr, _("Could not update group mapping for %s\n"),
ntgroup);
return -1;
}
return 0;
}
bool uid_to_unix_users_sid(uid_t uid, DOM_SID *sid)
{
return sid_compose(sid, &global_sid_Unix_Users, uid);
}
bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
{
uint8_t dummy = 0;
TDB_DATA data = { .dptr = &dummy, .dsize = sizeof(dummy) };
char keystr[DOM_SID_STR_BUFLEN];
bool result = false;
struct dom_sid user_sid;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
DATA_BLOB blob;
enum ndr_err_code ndr_err;
struct netsamlogoncache_entry r;
int ret;
if (!info3) {
return false;
}
if (!netsamlogon_cache_init()) {
DEBUG(0,("netsamlogon_cache_store: cannot open %s for write!\n",
NETSAMLOGON_TDB));
return false;
}
/*
* First write a record with just the domain sid for
* netsamlogon_cache_domain_known. Use TDB_INSERT to avoid
* overwriting potentially other data. We're just interested
* in the existence of that record.
*/
dom_sid_string_buf(info3->base.domain_sid, keystr, sizeof(keystr));
ret = tdb_store_bystring(netsamlogon_tdb, keystr, data, TDB_INSERT);
if ((ret == -1) && (tdb_error(netsamlogon_tdb) != TDB_ERR_EXISTS)) {
DBG_WARNING("Could not store domain marker for %s: %s\n",
keystr, tdb_errorstr(netsamlogon_tdb));
TALLOC_FREE(tmp_ctx);
return false;
}
sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid);
/* Prepare key as DOMAIN-SID/USER-RID string */
dom_sid_string_buf(&user_sid, keystr, sizeof(keystr));
DEBUG(10,("netsamlogon_cache_store: SID [%s]\n", keystr));
/* Prepare data */
if (info3->base.full_name.string == NULL) {
struct netr_SamInfo3 *cached_info3;
const char *full_name = NULL;
cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid);
if (cached_info3 != NULL) {
full_name = cached_info3->base.full_name.string;
}
if (full_name != NULL) {
info3->base.full_name.string = talloc_strdup(info3, full_name);
}
}
/* only Samba fills in the username, not sure why NT doesn't */
/* so we fill it in since winbindd_getpwnam() makes use of it */
if (!info3->base.account_name.string) {
info3->base.account_name.string = talloc_strdup(info3, username);
}
r.timestamp = time(NULL);
r.info3 = *info3;
if (DEBUGLEVEL >= 10) {
NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
}
ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r,
(ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
data.dsize = blob.length;
data.dptr = blob.data;
if (tdb_store_bystring(netsamlogon_tdb, keystr, data, TDB_REPLACE) == 0) {
result = true;
}
TALLOC_FREE(tmp_ctx);
return result;
}
/***********************************************************************
Retrieves a netr_SamInfo3 structure from a tdb. Caller must
free the user_info struct (talloced memory)
***********************************************************************/
struct netr_SamInfo3 *netsamlogon_cache_get(TALLOC_CTX *mem_ctx, const struct dom_sid *user_sid)
{
struct netr_SamInfo3 *info3 = NULL;
TDB_DATA data;
char keystr[DOM_SID_STR_BUFLEN];
enum ndr_err_code ndr_err;
DATA_BLOB blob;
struct netsamlogoncache_entry r;
if (!netsamlogon_cache_init()) {
DEBUG(0,("netsamlogon_cache_get: cannot open %s for write!\n",
NETSAMLOGON_TDB));
return NULL;
}
/* Prepare key as DOMAIN-SID/USER-RID string */
dom_sid_string_buf(user_sid, keystr, sizeof(keystr));
DEBUG(10,("netsamlogon_cache_get: SID [%s]\n", keystr));
data = tdb_fetch_bystring( netsamlogon_tdb, keystr );
if (!data.dptr) {
return NULL;
}
info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
if (!info3) {
goto done;
}
blob = data_blob_const(data.dptr, data.dsize);
ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, &r,
(ndr_pull_flags_fn_t)ndr_pull_netsamlogoncache_entry);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DEBUG(0,("netsamlogon_cache_get: failed to pull entry from cache\n"));
tdb_delete_bystring(netsamlogon_tdb, keystr);
TALLOC_FREE(info3);
goto done;
}
if (DEBUGLEVEL >= 10) {
NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
}
info3 = (struct netr_SamInfo3 *)talloc_memdup(mem_ctx, &r.info3,
sizeof(r.info3));
done:
SAFE_FREE(data.dptr);
return info3;
}
bool netsamlogon_cache_have(const struct dom_sid *sid)
{
char keystr[DOM_SID_STR_BUFLEN];
bool ok;
if (!netsamlogon_cache_init()) {
DBG_WARNING("Cannot open %s\n", NETSAMLOGON_TDB);
return false;
}
dom_sid_string_buf(sid, keystr, sizeof(keystr));
ok = tdb_exists(netsamlogon_tdb, string_term_tdb_data(keystr));
return ok;
}
bool lookup_name(TALLOC_CTX *mem_ctx,
const char *full_name, int flags,
const char **ret_domain, const char **ret_name,
struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
{
char *p;
const char *tmp;
const char *domain = NULL;
const char *name = NULL;
uint32_t rid;
struct dom_sid sid;
enum lsa_SidType type;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return false;
}
p = strchr_m(full_name, '\\');
if (p != NULL) {
domain = talloc_strndup(tmp_ctx, full_name,
PTR_DIFF(p, full_name));
name = talloc_strdup(tmp_ctx, p+1);
} else {
domain = talloc_strdup(tmp_ctx, "");
name = talloc_strdup(tmp_ctx, full_name);
}
if ((domain == NULL) || (name == NULL)) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
DEBUG(10,("lookup_name: %s => domain=[%s], name=[%s]\n",
full_name, domain, name));
DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
if ((flags & LOOKUP_NAME_DOMAIN) &&
strequal(domain, get_global_sam_name()))
{
/* It's our own domain, lookup the name in passdb */
if (lookup_global_sam_name(name, flags, &rid, &type)) {
sid_compose(&sid, get_global_sam_sid(), rid);
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
if ((flags & LOOKUP_NAME_BUILTIN) &&
strequal(domain, builtin_domain_name()))
{
if (strlen(name) == 0) {
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
sid_copy(&sid, &global_sid_Builtin);
type = SID_NAME_DOMAIN;
goto ok;
}
/* Explicit request for a name in BUILTIN */
if (lookup_builtin_name(name, &rid)) {
sid_compose(&sid, &global_sid_Builtin, rid);
type = SID_NAME_ALIAS;
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
/* Try the explicit winbind lookup first, don't let it guess the
* domain yet at this point yet. This comes later. */
if ((domain[0] != '\0') &&
(flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) &&
(winbind_lookup_name(domain, name, &sid, &type))) {
goto ok;
}
if (((flags & (LOOKUP_NAME_NO_NSS|LOOKUP_NAME_GROUP)) == 0)
&& strequal(domain, unix_users_domain_name())) {
if (lookup_unix_user_name(name, &sid)) {
type = SID_NAME_USER;
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
if (((flags & LOOKUP_NAME_NO_NSS) == 0)
&& strequal(domain, unix_groups_domain_name())) {
if (lookup_unix_group_name(name, &sid)) {
type = SID_NAME_DOM_GRP;
goto ok;
}
TALLOC_FREE(tmp_ctx);
return false;
}
if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
TALLOC_FREE(tmp_ctx);
return false;
}
/* Now the guesswork begins, we haven't been given an explicit
* domain. Try the sequence as documented on
* http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
* November 27, 2005 */
/* 1. well-known names */
if ((flags & LOOKUP_NAME_WKN) &&
lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
{
type = SID_NAME_WKN_GRP;
goto ok;
}
/* 2. Builtin domain as such */
if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) &&
strequal(name, builtin_domain_name()))
{
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
sid_copy(&sid, &global_sid_Builtin);
type = SID_NAME_DOMAIN;
goto ok;
}
/* 3. Account domain */
if ((flags & LOOKUP_NAME_DOMAIN) &&
strequal(name, get_global_sam_name()))
{
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(3, ("Could not fetch my SID\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
goto ok;
}
/* 4. Primary domain */
if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC &&
strequal(name, lp_workgroup()))
{
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(3, ("Could not fetch the domain SID\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
goto ok;
}
/* 5. Trusted domains as such, to me it looks as if members don't do
this, tested an XP workstation in a NT domain -- vl */
if ((flags & LOOKUP_NAME_REMOTE) && IS_DC &&
(pdb_get_trusteddom_pw(name, NULL, &sid, NULL)))
{
/* Swap domain and name */
tmp = name; name = domain; domain = tmp;
type = SID_NAME_DOMAIN;
goto ok;
}
/* 6. Builtin aliases */
if ((flags & LOOKUP_NAME_BUILTIN) &&
lookup_builtin_name(name, &rid))
{
domain = talloc_strdup(tmp_ctx, builtin_domain_name());
sid_compose(&sid, &global_sid_Builtin, rid);
type = SID_NAME_ALIAS;
goto ok;
}
/* 7. Local systems' SAM (DCs don't have a local SAM) */
/* 8. Primary SAM (On members, this is the domain) */
/* Both cases are done by looking at our passdb */
if ((flags & LOOKUP_NAME_DOMAIN) &&
lookup_global_sam_name(name, flags, &rid, &type))
{
domain = talloc_strdup(tmp_ctx, get_global_sam_name());
sid_compose(&sid, get_global_sam_sid(), rid);
goto ok;
}
/* Now our local possibilities are exhausted. */
if (!(flags & LOOKUP_NAME_REMOTE)) {
TALLOC_FREE(tmp_ctx);
return false;
}
/* If we are not a DC, we have to ask in our primary domain. Let
* winbind do that. */
if (!IS_DC &&
(winbind_lookup_name(lp_workgroup(), name, &sid, &type))) {
domain = talloc_strdup(tmp_ctx, lp_workgroup());
goto ok;
}
/* 9. Trusted domains */
/* If we're a DC we have to ask all trusted DC's. Winbind does not do
* that (yet), but give it a chance. */
if (IS_DC && winbind_lookup_name("", name, &sid, &type)) {
struct dom_sid dom_sid;
enum lsa_SidType domain_type;
if (type == SID_NAME_DOMAIN) {
/* Swap name and type */
tmp = name; name = domain; domain = tmp;
goto ok;
}
/* Here we have to cope with a little deficiency in the
* winbind API: We have to ask it again for the name of the
* domain it figured out itself. Maybe fix that later... */
sid_copy(&dom_sid, &sid);
sid_split_rid(&dom_sid, NULL);
if (!winbind_lookup_sid(tmp_ctx, &dom_sid, &domain, NULL,
&domain_type) ||
(domain_type != SID_NAME_DOMAIN)) {
DEBUG(2, ("winbind could not find the domain's name "
"it just looked up for us\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
goto ok;
}
/* 10. Don't translate */
/* 11. Ok, windows would end here. Samba has two more options:
Unmapped users and unmapped groups */
if (((flags & (LOOKUP_NAME_NO_NSS|LOOKUP_NAME_GROUP)) == 0)
&& lookup_unix_user_name(name, &sid)) {
domain = talloc_strdup(tmp_ctx, unix_users_domain_name());
type = SID_NAME_USER;
goto ok;
}
if (((flags & LOOKUP_NAME_NO_NSS) == 0)
&& lookup_unix_group_name(name, &sid)) {
domain = talloc_strdup(tmp_ctx, unix_groups_domain_name());
type = SID_NAME_DOM_GRP;
goto ok;
}
/*
* Ok, all possibilities tried. Fail.
*/
TALLOC_FREE(tmp_ctx);
return false;
ok:
if ((domain == NULL) || (name == NULL)) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
/*
* Hand over the results to the talloc context we've been given.
*/
if ((ret_name != NULL) &&
!(*ret_name = talloc_strdup(mem_ctx, name))) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
if (ret_domain != NULL) {
char *tmp_dom;
if (!(tmp_dom = talloc_strdup(mem_ctx, domain))) {
DEBUG(0, ("talloc failed\n"));
TALLOC_FREE(tmp_ctx);
return false;
}
if (!strupper_m(tmp_dom)) {
TALLOC_FREE(tmp_ctx);
return false;
}
*ret_domain = tmp_dom;
}
if (ret_sid != NULL) {
sid_copy(ret_sid, &sid);
}
if (ret_type != NULL) {
*ret_type = type;
}
TALLOC_FREE(tmp_ctx);
return true;
}
WERROR spoolss_create_default_secdesc(TALLOC_CTX *mem_ctx,
struct spoolss_security_descriptor **secdesc)
{
struct security_ace ace[7]; /* max number of ace entries */
int i = 0;
uint32_t sa;
struct security_acl *psa = NULL;
struct security_descriptor *psd = NULL;
struct dom_sid adm_sid;
size_t sd_size;
/* Create an ACE where Everyone is allowed to print */
sa = PRINTER_ACE_PRINT;
init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
/* Add the domain admins group if we are a DC */
if ( IS_DC ) {
struct dom_sid domadmins_sid;
sid_compose(&domadmins_sid, get_global_sam_sid(),
DOMAIN_RID_ADMINS);
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &domadmins_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
}
else if (secrets_fetch_domain_sid(lp_workgroup(), &adm_sid)) {
sid_append_rid(&adm_sid, DOMAIN_RID_ADMINISTRATOR);
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &adm_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
}
/* add BUILTIN\Administrators as FULL CONTROL */
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
SEC_ACE_TYPE_ACCESS_ALLOWED,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
/* add BUILTIN\Print Operators as FULL CONTROL */
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators,
SEC_ACE_TYPE_ACCESS_ALLOWED, sa,
SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_INHERIT_ONLY);
init_sec_ace(&ace[i++], &global_sid_Builtin_Print_Operators,
SEC_ACE_TYPE_ACCESS_ALLOWED,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
/* Make the security descriptor owned by the BUILTIN\Administrators */
/* The ACL revision number in rpc_secdesc.h differs from the one
created by NT when setting ACE entries in printer
descriptors. NT4 complains about the property being edited by a
NT5 machine. */
if ((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) != NULL) {
psd = make_sec_desc(mem_ctx,
SD_REVISION,
SEC_DESC_SELF_RELATIVE,
&global_sid_Builtin_Administrators,
&global_sid_Builtin_Administrators,
NULL,
psa,
&sd_size);
}
if (psd == NULL) {
DEBUG(0,("construct_default_printer_sd: Failed to make SEC_DESC.\n"));
return WERR_NOMEM;
}
DEBUG(4,("construct_default_printer_sdb: size = %u.\n",
(unsigned int)sd_size));
*secdesc = psd;
return WERR_OK;
}
