/*
Retrieve our local SID or the SID for the specified name
*/
static int net_getlocalsid(struct net_context *c, int argc, const char **argv)
{
struct dom_sid sid;
const char *name;
fstring sid_str;
if (argc >= 1) {
name = argv[0];
}
else {
name = lp_netbios_name();
}
if(!initialize_password_db(false, NULL)) {
d_fprintf(stderr, _("WARNING: Could not open passdb\n"));
return 1;
}
/* first check to see if we can even access secrets, so we don't
panic when we can't. */
if (!secrets_init()) {
d_fprintf(stderr,
_("Unable to open secrets.tdb. Can't fetch domain "
"SID for name: %s\n"), name);
return 1;
}
/* Generate one, if it doesn't exist */
get_global_sam_sid();
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(0, ("Can't fetch domain SID for name: %s\n", name));
return 1;
}
sid_to_fstring(sid_str, &sid);
d_printf(_("SID for domain %s is: %s\n"), name, sid_str);
return 0;
}
static NTSTATUS one_alias_membership(const DOM_SID *member,
DOM_SID **sids, size_t *num)
{
fstring tmp;
fstring key;
char *string_sid;
TDB_DATA dbuf;
const char *p;
NTSTATUS status = NT_STATUS_OK;
TALLOC_CTX *frame = talloc_stackframe();
slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX,
sid_to_fstring(tmp, member));
dbuf = dbwrap_fetch_bystring(db, frame, key);
if (dbuf.dptr == NULL) {
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
p = (const char *)dbuf.dptr;
while (next_token_talloc(frame, &p, &string_sid, " ")) {
DOM_SID alias;
if (!string_to_sid(&alias, string_sid))
continue;
status= add_sid_to_array_unique(NULL, &alias, sids, num);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
done:
TALLOC_FREE(frame);
return status;
}
NTSTATUS privilege_delete_account(const struct dom_sid *sid)
{
struct db_context *db = get_account_pol_db();
fstring tmp, keystr;
if (!lp_enable_privileges()) {
return NT_STATUS_OK;
}
if (!db) {
return NT_STATUS_INVALID_HANDLE;
}
if (!sid || (sid->num_auths == 0)) {
return NT_STATUS_INVALID_SID;
}
/* PRIV_<SID> (NULL terminated) as the key */
fstr_sprintf(keystr, "%s%s", PRIVPREFIX, sid_to_fstring(tmp, sid));
return dbwrap_delete_bystring(db, keystr);
}
/*
Retrieve our local SID or the SID for the specified name
*/
static int net_getlocalsid(int argc, const char **argv)
{
DOM_SID sid;
const char *name;
fstring sid_str;
if (argc >= 1) {
name = argv[0];
}
else {
name = global_myname();
}
if(!initialize_password_db(False, NULL)) {
DEBUG(0, ("WARNING: Could not open passdb - local sid may not reflect passdb\n"
"backend knowledge (such as the sid stored in LDAP)\n"));
}
/* first check to see if we can even access secrets, so we don't
panic when we can't. */
if (!secrets_init()) {
d_fprintf(stderr, "Unable to open secrets.tdb. Can't fetch domain SID for name: %s\n", name);
return 1;
}
/* Generate one, if it doesn't exist */
get_global_sam_sid();
if (!secrets_fetch_domain_sid(name, &sid)) {
DEBUG(0, ("Can't fetch domain SID for name: %s\n", name));
return 1;
}
sid_to_fstring(sid_str, &sid);
d_printf("SID for domain %s is: %s\n", name, sid_str);
return 0;
}
static NTSTATUS cmd_lsa_enum_trust_dom(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct lsa_DomainList domain_list;
/* defaults, but may be changed using params */
uint32 enum_ctx = 0;
int i;
uint32_t max_size = (uint32_t)-1;
if (argc > 2) {
printf("Usage: %s [enum context (0)]\n", argv[0]);
return NT_STATUS_OK;
}
if (argc == 2 && argv[1]) {
enum_ctx = atoi(argv[2]);
}
result = rpccli_lsa_open_policy(cli, mem_ctx, True,
LSA_POLICY_VIEW_LOCAL_INFORMATION,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
result = STATUS_MORE_ENTRIES;
while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) {
/* Lookup list of trusted domains */
result = rpccli_lsa_EnumTrustDom(cli, mem_ctx,
&pol,
&enum_ctx,
&domain_list,
max_size);
if (!NT_STATUS_IS_OK(result) &&
!NT_STATUS_EQUAL(result, NT_STATUS_NO_MORE_ENTRIES) &&
!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES))
goto done;
/* Print results: list of names and sids returned in this
* response. */
for (i = 0; i < domain_list.count; i++) {
fstring sid_str;
sid_to_fstring(sid_str, domain_list.domains[i].sid);
printf("%s %s\n",
domain_list.domains[i].name.string ?
domain_list.domains[i].name.string : "*unknown*",
sid_str);
}
}
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
static NTSTATUS cmd_lsa_lookup_sids3(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc, const char **argv)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
int i;
struct lsa_SidArray sids;
struct lsa_RefDomainList *domains;
struct lsa_TransNameArray2 names;
uint32_t count = 0;
if (argc == 1) {
printf("Usage: %s [sid1 [sid2 [...]]]\n", argv[0]);
return NT_STATUS_OK;
}
ZERO_STRUCT(names);
/* Convert arguments to sids */
sids.num_sids = argc-1;
sids.sids = talloc_array(mem_ctx, struct lsa_SidPtr, sids.num_sids);
if (!sids.sids) {
printf("could not allocate memory for %d sids\n", sids.num_sids);
goto done;
}
for (i = 0; i < sids.num_sids; i++) {
sids.sids[i].sid = talloc(sids.sids, struct dom_sid);
if (sids.sids[i].sid == NULL) {
result = NT_STATUS_NO_MEMORY;
goto done;
}
if (!string_to_sid(sids.sids[i].sid, argv[i+1])) {
result = NT_STATUS_INVALID_SID;
goto done;
}
}
/* Lookup the SIDs */
result = rpccli_lsa_LookupSids3(cli, mem_ctx,
&sids,
&domains,
&names,
1,
&count,
0,
0);
if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
NT_STATUS_V(STATUS_SOME_UNMAPPED))
goto done;
result = NT_STATUS_OK;
/* Print results */
for (i = 0; i < count; i++) {
fstring sid_str;
sid_to_fstring(sid_str, sids.sids[i].sid);
printf("%s %s (%d)\n", sid_str,
names.names[i].name.string,
names.names[i].sid_type);
}
done:
return result;
}
static NTSTATUS cmd_lsa_lookup_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
int argc, const char **argv)
{
struct policy_handle pol;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
DOM_SID *sids;
char **domains;
char **names;
enum lsa_SidType *types;
int i;
if (argc == 1) {
printf("Usage: %s [sid1 [sid2 [...]]]\n", argv[0]);
return NT_STATUS_OK;
}
result = rpccli_lsa_open_policy(cli, mem_ctx, True,
SEC_FLAG_MAXIMUM_ALLOWED,
&pol);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Convert arguments to sids */
sids = TALLOC_ARRAY(mem_ctx, DOM_SID, argc - 1);
if (!sids) {
printf("could not allocate memory for %d sids\n", argc - 1);
goto done;
}
for (i = 0; i < argc - 1; i++)
if (!string_to_sid(&sids[i], argv[i + 1])) {
result = NT_STATUS_INVALID_SID;
goto done;
}
/* Lookup the SIDs */
result = rpccli_lsa_lookup_sids(cli, mem_ctx, &pol, argc - 1, sids,
&domains, &names, &types);
if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) !=
NT_STATUS_V(STATUS_SOME_UNMAPPED))
goto done;
result = NT_STATUS_OK;
/* Print results */
for (i = 0; i < (argc - 1); i++) {
fstring sid_str;
sid_to_fstring(sid_str, &sids[i]);
printf("%s %s\\%s (%d)\n", sid_str,
domains[i] ? domains[i] : "*unknown*",
names[i] ? names[i] : "*unknown*", types[i]);
}
rpccli_lsa_Close(cli, mem_ctx, &pol);
done:
return result;
}
static int net_groupmap_add(struct net_context *c, int argc, const char **argv)
{
struct dom_sid sid;
fstring ntgroup = "";
fstring unixgrp = "";
fstring string_sid = "";
fstring type = "";
fstring ntcomment = "";
enum lsa_SidType sid_type = SID_NAME_DOM_GRP;
uint32 rid = 0;
gid_t gid;
int i;
GROUP_MAP *map;
const char *name_type;
const char add_usage_str[] = N_("net groupmap add "
"{rid=<int>|sid=<string>}"
" unixgroup=<string> "
"[type=<domain|local|builtin>] "
"[ntgroup=<string>] "
"[comment=<string>]");
name_type = "domain group";
if (c->display_usage) {
d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
return 0;
}
/* get the options */
for ( i=0; i<argc; i++ ) {
if ( !strncasecmp_m(argv[i], "rid", strlen("rid")) ) {
rid = get_int_param(argv[i]);
if ( rid < DOMAIN_RID_ADMINS ) {
d_fprintf(stderr,
_("RID must be greater than %d\n"),
(uint32)DOMAIN_RID_ADMINS-1);
return -1;
}
}
else if ( !strncasecmp_m(argv[i], "unixgroup", strlen("unixgroup")) ) {
fstrcpy( unixgrp, get_string_param( argv[i] ) );
if ( !unixgrp[0] ) {
d_fprintf(stderr,_( "must supply a name\n"));
return -1;
}
}
else if ( !strncasecmp_m(argv[i], "ntgroup", strlen("ntgroup")) ) {
fstrcpy( ntgroup, get_string_param( argv[i] ) );
if ( !ntgroup[0] ) {
d_fprintf(stderr, _("must supply a name\n"));
return -1;
}
}
else if ( !strncasecmp_m(argv[i], "sid", strlen("sid")) ) {
fstrcpy( string_sid, get_string_param( argv[i] ) );
if ( !string_sid[0] ) {
d_fprintf(stderr, _("must supply a SID\n"));
return -1;
}
}
else if ( !strncasecmp_m(argv[i], "comment", strlen("comment")) ) {
fstrcpy( ntcomment, get_string_param( argv[i] ) );
if ( !ntcomment[0] ) {
d_fprintf(stderr,
_("must supply a comment string\n"));
return -1;
}
}
else if ( !strncasecmp_m(argv[i], "type", strlen("type")) ) {
fstrcpy( type, get_string_param( argv[i] ) );
switch ( type[0] ) {
case 'b':
case 'B':
sid_type = SID_NAME_WKN_GRP;
name_type = "wellknown group";
break;
case 'd':
case 'D':
sid_type = SID_NAME_DOM_GRP;
name_type = "domain group";
break;
case 'l':
case 'L':
sid_type = SID_NAME_ALIAS;
name_type = "alias (local) group";
break;
default:
d_fprintf(stderr,
_("unknown group type %s\n"),
type);
return -1;
}
}
else {
d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
return -1;
}
}
if ( !unixgrp[0] ) {
d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
return -1;
}
if ( (gid = nametogid(unixgrp)) == (gid_t)-1 ) {
d_fprintf(stderr, _("Can't lookup UNIX group %s\n"), unixgrp);
return -1;
}
map = talloc_zero(NULL, GROUP_MAP);
if (!map) {
return -1;
}
/* Default is domain group. */
map->sid_name_use = SID_NAME_DOM_GRP;
if (pdb_getgrgid(map, gid)) {
d_printf(_("Unix group %s already mapped to SID %s\n"),
unixgrp, sid_string_tos(&map->sid));
TALLOC_FREE(map);
return -1;
}
TALLOC_FREE(map);
if ( (rid == 0) && (string_sid[0] == '\0') ) {
d_printf(_("No rid or sid specified, choosing a RID\n"));
if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
if (!pdb_new_rid(&rid)) {
d_printf(_("Could not get new RID\n"));
}
} else {
rid = algorithmic_pdb_gid_to_group_rid(gid);
}
d_printf(_("Got RID %d\n"), rid);
}
/* append the rid to our own domain/machine SID if we don't have a full SID */
if ( !string_sid[0] ) {
sid_compose(&sid, get_global_sam_sid(), rid);
sid_to_fstring(string_sid, &sid);
}
if (!ntcomment[0]) {
switch (sid_type) {
case SID_NAME_WKN_GRP:
fstrcpy(ntcomment, "Wellknown Unix group");
break;
case SID_NAME_DOM_GRP:
fstrcpy(ntcomment, "Domain Unix group");
break;
case SID_NAME_ALIAS:
fstrcpy(ntcomment, "Local Unix group");
break;
default:
fstrcpy(ntcomment, "Unix group");
break;
}
}
if (!ntgroup[0] )
strlcpy(ntgroup, unixgrp, sizeof(ntgroup));
if (!NT_STATUS_IS_OK(add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment))) {
d_fprintf(stderr, _("adding entry for group %s failed!\n"), ntgroup);
return -1;
}
d_printf(_("Successfully added group %s to the mapping db as a %s\n"),
ntgroup, name_type);
return 0;
}
static NTSTATUS add_new_domain_info(struct smbldap_state *ldap_state,
const char *domain_name)
{
fstring sid_string;
fstring algorithmic_rid_base_string;
char *filter = NULL;
char *dn = NULL;
LDAPMod **mods = NULL;
int rc;
LDAPMessage *result = NULL;
int num_result;
const char **attr_list;
char *escape_domain_name;
/* escape for filter */
escape_domain_name = escape_ldap_string(talloc_tos(), domain_name);
if (!escape_domain_name) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
if (asprintf(&filter, "(&(%s=%s)(objectclass=%s))",
get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
escape_domain_name, LDAP_OBJ_DOMINFO) < 0) {
TALLOC_FREE(escape_domain_name);
return NT_STATUS_NO_MEMORY;
}
TALLOC_FREE(escape_domain_name);
attr_list = get_attr_list(NULL, dominfo_attr_list );
rc = smbldap_search_suffix(ldap_state, filter, attr_list, &result);
TALLOC_FREE( attr_list );
SAFE_FREE(filter);
if (rc != LDAP_SUCCESS) {
return NT_STATUS_UNSUCCESSFUL;
}
num_result = ldap_count_entries(ldap_state->ldap_struct, result);
if (num_result > 1) {
DEBUG (0, ("add_new_domain_info: More than domain with that name exists: bailing "
"out!\n"));
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
/* Check if we need to add an entry */
DEBUG(3,("add_new_domain_info: Adding new domain\n"));
/* this time escape for DN */
escape_domain_name = escape_rdn_val_string_alloc(domain_name);
if (!escape_domain_name) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
if (asprintf(&dn, "%s=%s,%s",
get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
escape_domain_name, lp_ldap_suffix(talloc_tos())) < 0) {
SAFE_FREE(escape_domain_name);
return NT_STATUS_NO_MEMORY;
}
SAFE_FREE(escape_domain_name);
/* Free original search */
ldap_msgfree(result);
/* make the changes - the entry *must* not already have samba
* attributes */
smbldap_set_mod(&mods, LDAP_MOD_ADD,
get_attr_key2string(dominfo_attr_list,
LDAP_ATTR_DOMAIN),
domain_name);
/* If we don't have an entry, then ask secrets.tdb for what it thinks.
It may choose to make it up */
sid_to_fstring(sid_string, get_global_sam_sid());
smbldap_set_mod(&mods, LDAP_MOD_ADD,
get_attr_key2string(dominfo_attr_list,
LDAP_ATTR_DOM_SID),
sid_string);
slprintf(algorithmic_rid_base_string,
sizeof(algorithmic_rid_base_string) - 1, "%i",
algorithmic_rid_base());
smbldap_set_mod(&mods, LDAP_MOD_ADD,
get_attr_key2string(dominfo_attr_list,
LDAP_ATTR_ALGORITHMIC_RID_BASE),
algorithmic_rid_base_string);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO);
/* add the sambaNextUserRid attributes. */
{
uint32_t rid = BASE_RID;
fstring rid_str;
fstr_sprintf( rid_str, "%i", rid );
DEBUG(10,("add_new_domain_info: setting next available user rid [%s]\n", rid_str));
smbldap_set_mod(&mods, LDAP_MOD_ADD,
get_attr_key2string(dominfo_attr_list,
LDAP_ATTR_NEXT_USERRID),
rid_str);
}
rc = smbldap_add(ldap_state, dn, mods);
if (rc!=LDAP_SUCCESS) {
char *ld_error = NULL;
ldap_get_option(ldap_state->ldap_struct,
LDAP_OPT_ERROR_STRING, &ld_error);
DEBUG(1,("add_new_domain_info: failed to add domain dn= %s with: %s\n\t%s\n",
dn, ldap_err2string(rc),
ld_error?ld_error:"unknown"));
SAFE_FREE(ld_error);
SAFE_FREE(dn);
ldap_mods_free(mods, True);
return NT_STATUS_UNSUCCESSFUL;
}
DEBUG(2,("add_new_domain_info: added: domain = %s in the LDAP database\n", domain_name));
ldap_mods_free(mods, True);
SAFE_FREE(dn);
return NT_STATUS_OK;
}
/*****************************************************************************
For idmap conversion: convert one record to new format
Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
instead of the SID.
*****************************************************************************/
static int convert_fn(struct db_record *rec, void *private_data)
{
struct winbindd_domain *domain;
char *p;
NTSTATUS status;
struct dom_sid sid;
uint32 rid;
fstring keystr;
fstring dom_name;
TDB_DATA key;
TDB_DATA key2;
TDB_DATA value;
struct convert_fn_state *s = (struct convert_fn_state *)private_data;
key = dbwrap_record_get_key(rec);
DEBUG(10,("Converting %s\n", (const char *)key.dptr));
p = strchr((const char *)key.dptr, '/');
if (!p)
return 0;
*p = 0;
fstrcpy(dom_name, (const char *)key.dptr);
*p++ = '/';
domain = find_domain_from_name(dom_name);
if (domain == NULL) {
/* We must delete the old record. */
DEBUG(0,("Unable to find domain %s\n", dom_name ));
DEBUG(0,("deleting record %s\n", (const char *)key.dptr ));
status = dbwrap_record_delete(rec);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Unable to delete record %s:%s\n",
(const char *)key.dptr,
nt_errstr(status)));
s->failed = true;
return -1;
}
return 0;
}
rid = atoi(p);
sid_compose(&sid, &domain->sid, rid);
sid_to_fstring(keystr, &sid);
key2 = string_term_tdb_data(keystr);
value = dbwrap_record_get_value(rec);
status = dbwrap_store(s->db, key2, value, TDB_INSERT);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Unable to add record %s:%s\n",
(const char *)key2.dptr,
nt_errstr(status)));
s->failed = true;
return -1;
}
status = dbwrap_store(s->db, value, key2, TDB_REPLACE);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Unable to update record %s:%s\n",
(const char *)value.dptr,
nt_errstr(status)));
s->failed = true;
return -1;
}
status = dbwrap_record_delete(rec);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Unable to delete record %s:%s\n",
(const char *)key.dptr,
nt_errstr(status)));
s->failed = true;
return -1;
}
return 0;
}
static void display_sam_sync(struct netr_DELTA_ENUM_ARRAY *r)
{
uint32_t i, j;
for (i=0; i < r->num_deltas; i++) {
union netr_DELTA_UNION u = r->delta_enum[i].delta_union;
union netr_DELTA_ID_UNION id = r->delta_enum[i].delta_id_union;
switch (r->delta_enum[i].delta_type) {
case NETR_DELTA_DOMAIN:
printf("Domain: %s\n",
u.domain->domain_name.string);
break;
case NETR_DELTA_GROUP:
printf("Group: %s\n",
u.group->group_name.string);
break;
case NETR_DELTA_DELETE_GROUP:
printf("Delete Group: %d\n",
id.rid);
break;
case NETR_DELTA_RENAME_GROUP:
printf("Rename Group: %s -> %s\n",
u.rename_group->OldName.string,
u.rename_group->NewName.string);
break;
case NETR_DELTA_USER:
printf("Account: %s\n",
u.user->account_name.string);
break;
case NETR_DELTA_DELETE_USER:
printf("Delete User: %d\n",
id.rid);
break;
case NETR_DELTA_RENAME_USER:
printf("Rename user: %s -> %s\n",
u.rename_user->OldName.string,
u.rename_user->NewName.string);
break;
case NETR_DELTA_GROUP_MEMBER:
for (j=0; j < u.group_member->num_rids; j++) {
printf("rid 0x%x, attrib 0x%08x\n",
u.group_member->rids[j],
u.group_member->attribs[j]);
}
break;
case NETR_DELTA_ALIAS:
printf("Alias: %s\n",
u.alias->alias_name.string);
break;
case NETR_DELTA_DELETE_ALIAS:
printf("Delete Alias: %d\n",
id.rid);
break;
case NETR_DELTA_RENAME_ALIAS:
printf("Rename alias: %s -> %s\n",
u.rename_alias->OldName.string,
u.rename_alias->NewName.string);
break;
case NETR_DELTA_ALIAS_MEMBER:
for (j=0; j < u.alias_member->sids.num_sids; j++) {
fstring sid_str;
sid_to_fstring(sid_str,
u.alias_member->sids.sids[j].sid);
printf("%s\n", sid_str);
}
break;
case NETR_DELTA_POLICY:
printf("Policy: %s\n",
sid_string_dbg(id.sid));
break;
case NETR_DELTA_TRUSTED_DOMAIN:
printf("Trusted Domain: %s\n",
u.trusted_domain->domain_name.string);
break;
case NETR_DELTA_DELETE_TRUST:
printf("Delete Trust: %s\n",
sid_string_dbg(id.sid));
break;
case NETR_DELTA_ACCOUNT:
printf("Account: %s\n",
sid_string_dbg(id.sid));
break;
case NETR_DELTA_DELETE_ACCOUNT:
printf("Delete Account: %s\n",
sid_string_dbg(id.sid));
break;
case NETR_DELTA_SECRET:
printf("Secret: %s\n",
id.name);
break;
case NETR_DELTA_DELETE_SECRET:
printf("Delete Secret: %s\n",
id.name);
break;
case NETR_DELTA_DELETE_GROUP2:
printf("Delete Group2: %s\n",
u.delete_group->account_name);
break;
case NETR_DELTA_DELETE_USER2:
printf("Delete User2: %s\n",
u.delete_user->account_name);
break;
case NETR_DELTA_MODIFY_COUNT:
printf("sam sequence update: 0x%016llx\n",
(unsigned long long) *u.modified_count);
break;
default:
printf("unknown delta type 0x%02x\n",
r->delta_enum[i].delta_type);
break;
}
}
}
/* Query display info for a realm. This is the basic user list fn */
static NTSTATUS query_user_list(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32_t **prids)
{
ADS_STRUCT *ads = NULL;
const char *attrs[] = { "sAMAccountType", "objectSid", NULL };
int count;
uint32_t *rids = NULL;
ADS_STATUS rc;
LDAPMessage *res = NULL;
LDAPMessage *msg = NULL;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
DEBUG(3,("ads: query_user_list\n"));
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
domain->name));
return NT_STATUS_OK;
}
ads = ads_cached_connection(domain);
if (!ads) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
goto done;
}
rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs);
if (!ADS_ERR_OK(rc)) {
DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc)));
status = ads_ntstatus(rc);
goto done;
} else if (!res) {
DEBUG(1,("query_user_list ads_search returned NULL res\n"));
goto done;
}
count = ads_count_replies(ads, res);
if (count == 0) {
DEBUG(1,("query_user_list: No users found\n"));
goto done;
}
rids = talloc_zero_array(mem_ctx, uint32_t, count);
if (rids == NULL) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
count = 0;
for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
struct dom_sid user_sid;
uint32_t atype;
bool ok;
ok = ads_pull_uint32(ads, msg, "sAMAccountType", &atype);
if (!ok) {
DBG_INFO("Object lacks sAMAccountType attribute\n");
continue;
}
if (ds_atype_map(atype) != SID_NAME_USER) {
DBG_INFO("Not a user account? atype=0x%x\n", atype);
continue;
}
if (!ads_pull_sid(ads, msg, "objectSid", &user_sid)) {
char *dn = ads_get_dn(ads, talloc_tos(), msg);
DBG_INFO("No sid for %s !?\n", dn);
TALLOC_FREE(dn);
continue;
}
if (!dom_sid_in_domain(&domain->sid, &user_sid)) {
fstring sidstr, domstr;
DBG_WARNING("Got sid %s in domain %s\n",
sid_to_fstring(sidstr, &user_sid),
sid_to_fstring(domstr, &domain->sid));
continue;
}
sid_split_rid(&user_sid, &rids[count]);
count += 1;
}
rids = talloc_realloc(mem_ctx, rids, uint32_t, count);
if (prids != NULL) {
*prids = rids;
}
status = NT_STATUS_OK;
DBG_NOTICE("ads query_user_list gave %d entries\n", count);
done:
return status;
}
static NTSTATUS del_aliasmem(const DOM_SID *alias, const DOM_SID *member)
{
NTSTATUS status;
DOM_SID *sids;
size_t i, num;
bool found = False;
char *member_string;
char *key;
fstring sid_string;
if (db->transaction_start(db) != 0) {
DEBUG(0, ("transaction_start failed\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
status = alias_memberships(member, 1, &sids, &num);
if (!NT_STATUS_IS_OK(status)) {
goto cancel;
}
for (i=0; i<num; i++) {
if (sid_compare(&sids[i], alias) == 0) {
found = True;
break;
}
}
if (!found) {
TALLOC_FREE(sids);
status = NT_STATUS_MEMBER_NOT_IN_ALIAS;
goto cancel;
}
if (i < num)
sids[i] = sids[num-1];
num -= 1;
sid_to_fstring(sid_string, member);
key = talloc_asprintf(sids, "%s%s", MEMBEROF_PREFIX, sid_string);
if (key == NULL) {
TALLOC_FREE(sids);
status = NT_STATUS_NO_MEMORY;
goto cancel;
}
if (num == 0) {
status = dbwrap_delete_bystring(db, key);
TALLOC_FREE(sids);
goto cancel;
}
member_string = talloc_strdup(sids, "");
if (member_string == NULL) {
TALLOC_FREE(sids);
status = NT_STATUS_NO_MEMORY;
goto cancel;
}
for (i=0; i<num; i++) {
sid_to_fstring(sid_string, &sids[i]);
member_string = talloc_asprintf_append_buffer(
member_string, " %s", sid_string);
if (member_string == NULL) {
TALLOC_FREE(sids);
status = NT_STATUS_NO_MEMORY;
goto cancel;
}
}
status = dbwrap_store_bystring(
db, key, string_term_tdb_data(member_string), 0);
TALLOC_FREE(sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("dbwrap_store_bystring failed: %s\n",
nt_errstr(status)));
goto cancel;
}
if (db->transaction_commit(db) != 0) {
DEBUG(0, ("transaction_commit failed\n"));
status = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto cancel;
}
return NT_STATUS_OK;
cancel:
if (db->transaction_cancel(db) != 0) {
smb_panic("transaction_cancel failed");
}
return status;
}
static NTSTATUS add_aliasmem(const DOM_SID *alias, const DOM_SID *member)
{
GROUP_MAP map;
char *key;
fstring string_sid;
char *new_memberstring;
struct db_record *rec;
NTSTATUS status;
if (!get_group_map_from_sid(*alias, &map))
return NT_STATUS_NO_SUCH_ALIAS;
if ( (map.sid_name_use != SID_NAME_ALIAS) &&
(map.sid_name_use != SID_NAME_WKN_GRP) )
return NT_STATUS_NO_SUCH_ALIAS;
if (is_aliasmem(alias, member))
return NT_STATUS_MEMBER_IN_ALIAS;
sid_to_fstring(string_sid, member);
key = talloc_asprintf(talloc_tos(), "%s%s", MEMBEROF_PREFIX,
string_sid);
if (key == NULL) {
return NT_STATUS_NO_MEMORY;
}
if (db->transaction_start(db) != 0) {
DEBUG(0, ("transaction_start failed\n"));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
rec = db->fetch_locked(db, key, string_term_tdb_data(key));
if (rec == NULL) {
DEBUG(10, ("fetch_lock failed\n"));
TALLOC_FREE(key);
status = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto cancel;
}
sid_to_fstring(string_sid, alias);
if (rec->value.dptr != NULL) {
new_memberstring = talloc_asprintf(
key, "%s %s", (char *)(rec->value.dptr), string_sid);
} else {
new_memberstring = talloc_strdup(key, string_sid);
}
if (new_memberstring == NULL) {
TALLOC_FREE(key);
status = NT_STATUS_NO_MEMORY;
goto cancel;
}
status = rec->store(rec, string_term_tdb_data(new_memberstring), 0);
TALLOC_FREE(key);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Could not store record: %s\n", nt_errstr(status)));
goto cancel;
}
if (db->transaction_commit(db) != 0) {
DEBUG(0, ("transaction_commit failed\n"));
status = NT_STATUS_INTERNAL_DB_CORRUPTION;
goto cancel;
}
return NT_STATUS_OK;
cancel:
if (db->transaction_cancel(db) != 0) {
smb_panic("transaction_cancel failed");
}
return status;
}
static void dump_ntquota(SMB_NTQUOTA_STRUCT *qt, bool _verbose,
bool _numeric,
void (*_sidtostring)(fstring str,
struct dom_sid *sid,
bool _numeric))
{
TALLOC_CTX *frame = talloc_stackframe();
if (!qt) {
smb_panic("dump_ntquota() called with NULL pointer");
}
switch (qt->qtype) {
case SMB_USER_FS_QUOTA_TYPE:
{
d_printf("File System QUOTAS:\n");
d_printf("Limits:\n");
d_printf(" Default Soft Limit: %15s\n",
quota_str_static(qt->softlim,True,_numeric));
d_printf(" Default Hard Limit: %15s\n",
quota_str_static(qt->hardlim,True,_numeric));
d_printf("Quota Flags:\n");
d_printf(" Quotas Enabled: %s\n",
((qt->qflags"AS_ENABLED)
||(qt->qflags"AS_DENY_DISK))?"On":"Off");
d_printf(" Deny Disk: %s\n",
(qt->qflags"AS_DENY_DISK)?"On":"Off");
d_printf(" Log Soft Limit: %s\n",
(qt->qflags"AS_LOG_THRESHOLD)?"On":"Off");
d_printf(" Log Hard Limit: %s\n",
(qt->qflags"AS_LOG_LIMIT)?"On":"Off");
}
break;
case SMB_USER_QUOTA_TYPE:
{
fstring username_str = {0};
if (_sidtostring) {
_sidtostring(username_str,&qt->sid,_numeric);
} else {
sid_to_fstring(username_str, &qt->sid);
}
if (_verbose) {
d_printf("Quotas for User: %s\n",username_str);
d_printf("Used Space: %15s\n",
quota_str_static(qt->usedspace,False,
_numeric));
d_printf("Soft Limit: %15s\n",
quota_str_static(qt->softlim,True,
_numeric));
d_printf("Hard Limit: %15s\n",
quota_str_static(qt->hardlim,True,_numeric));
} else {
d_printf("%-30s: ",username_str);
d_printf("%15s/",quota_str_static(
qt->usedspace,False,_numeric));
d_printf("%15s/",quota_str_static(
qt->softlim,True,_numeric));
d_printf("%15s\n",quota_str_static(
qt->hardlim,True,_numeric));
}
}
break;
default:
d_printf("dump_ntquota() invalid qtype(%d)\n",qt->qtype);
}
TALLOC_FREE(frame);
return;
}