static bool wbinfo_get_sidaliases(const char *domain,
const char *user_sid_str)
{
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
struct wbcDomainInfo *dinfo = NULL;
uint32_t i;
struct wbcDomainSid user_sid;
uint32_t *alias_rids = NULL;
uint32_t num_alias_rids;
char *domain_sid_str = NULL;
/* Send request */
if ((domain == NULL) || (strequal(domain, ".")) ||
(domain[0] == '\0')) {
domain = get_winbind_domain();
}
/* Send request */
wbc_status = wbcDomainInfo(domain, &dinfo);
if (!WBC_ERROR_IS_OK(wbc_status)) {
d_printf("wbcDomainInfo(%s) failed: %s\n", domain,
wbcErrorString(wbc_status));
goto done;
}
wbc_status = wbcStringToSid(user_sid_str, &user_sid);
if (!WBC_ERROR_IS_OK(wbc_status)) {
goto done;
}
wbc_status = wbcGetSidAliases(&dinfo->sid, &user_sid, 1,
&alias_rids, &num_alias_rids);
if (!WBC_ERROR_IS_OK(wbc_status)) {
goto done;
}
wbc_status = wbcSidToString(&dinfo->sid, &domain_sid_str);
if (!WBC_ERROR_IS_OK(wbc_status)) {
goto done;
}
for (i = 0; i < num_alias_rids; i++) {
d_printf("%s-%d\n", domain_sid_str, alias_rids[i]);
}
wbcFreeMemory(alias_rids);
done:
if (domain_sid_str) {
wbcFreeMemory(domain_sid_str);
}
if (dinfo) {
wbcFreeMemory(dinfo);
}
return (WBC_ERR_SUCCESS == wbc_status);
}
static bool wbinfo_lookuprids(const char *domain, const char *arg)
{
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
struct wbcDomainInfo *dinfo = NULL;
char *domain_name = NULL;
const char **names = NULL;
enum wbcSidType *types = NULL;
size_t i;
int num_rids;
uint32 *rids = NULL;
const char *p;
char *ridstr;
TALLOC_CTX *mem_ctx = NULL;
bool ret = false;
if ((domain == NULL) || (strequal(domain, ".")) || (domain[0] == '\0')) {
domain = get_winbind_domain();
}
/* Send request */
wbc_status = wbcDomainInfo(domain, &dinfo);
if (!WBC_ERROR_IS_OK(wbc_status)) {
d_printf("wbcDomainInfo(%s) failed: %s\n", domain,
wbcErrorString(wbc_status));
goto done;
}
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
d_printf("talloc_new failed\n");
goto done;
}
num_rids = 0;
rids = NULL;
p = arg;
while (next_token_talloc(mem_ctx, &p, &ridstr, " ,\n")) {
uint32 rid = strtoul(ridstr, NULL, 10);
ADD_TO_ARRAY(mem_ctx, uint32, rid, &rids, &num_rids);
}
if (rids == NULL) {
d_printf("no rids\n");
goto done;
}
wbc_status = wbcLookupRids(&dinfo->sid, num_rids, rids,
(const char **)&domain_name, &names, &types);
if (!WBC_ERROR_IS_OK(wbc_status)) {
d_printf("winbind_lookup_rids failed: %s\n",
wbcErrorString(wbc_status));
goto done;
}
d_printf("Domain: %s\n", domain_name);
for (i=0; i<num_rids; i++) {
d_printf("%8d: %s (%s)\n", rids[i], names[i],
sid_type_lookup(types[i]));
}
ret = true;
done:
if (dinfo) {
wbcFreeMemory(dinfo);
}
if (domain_name) {
wbcFreeMemory(domain_name);
}
if (names) {
wbcFreeMemory(names);
}
if (types) {
wbcFreeMemory(types);
}
TALLOC_FREE(mem_ctx);
return ret;
}
static NTSTATUS check_wbc_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
wbcErr wbc_status;
struct wbcAuthUserParams params;
struct wbcAuthUserInfo *info = NULL;
struct wbcAuthErrorInfo *err = NULL;
if (!user_info || !auth_context || !server_info) {
return NT_STATUS_INVALID_PARAMETER;
}
/* Send off request */
params.account_name = user_info->smb_name;
params.domain_name = user_info->domain;
params.workstation_name = user_info->wksta_name;
params.flags = 0;
params.parameter_control= user_info->logon_parameters;
/* Handle plaintext */
if (!user_info->encrypted) {
DEBUG(3,("Checking plaintext password for %s.\n",
user_info->internal_username));
params.level = WBC_AUTH_USER_LEVEL_PLAIN;
params.password.plaintext = (char *)user_info->plaintext_password.data;
} else {
DEBUG(3,("Checking encrypted password for %s.\n",
user_info->internal_username));
params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
memcpy(params.password.response.challenge,
auth_context->challenge.data,
sizeof(params.password.response.challenge));
params.password.response.nt_length = user_info->nt_resp.length;
params.password.response.nt_data = user_info->nt_resp.data;
params.password.response.lm_length = user_info->lm_resp.length;
params.password.response.lm_data = user_info->lm_resp.data;
}
/* we are contacting the privileged pipe */
become_root();
wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err);
unbecome_root();
if (!WBC_ERROR_IS_OK(wbc_status)) {
DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n",
wbc_status, wbcErrorString(wbc_status)));
}
if (wbc_status == WBC_ERR_NO_MEMORY) {
return NT_STATUS_NO_MEMORY;
}
if (wbc_status == WBC_ERR_AUTH_ERROR) {
nt_status = NT_STATUS(err->nt_status);
wbcFreeMemory(err);
return nt_status;
}
if (!WBC_ERROR_IS_OK(wbc_status)) {
return NT_STATUS_LOGON_FAILURE;
}
DEBUG(10,("wbcAuthenticateUserEx succeeded\n"));
nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
user_info->smb_name,
user_info->domain,
info, server_info);
wbcFreeMemory(info);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
(*server_info)->nss_token |= user_info->was_mapped;
return nt_status;
}
static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
wbcErr wbc_status;
struct wbcAuthUserParams params;
struct wbcAuthUserInfo *info = NULL;
struct wbcAuthErrorInfo *err = NULL;
ZERO_STRUCT(params);
if (!user_info) {
return NT_STATUS_INVALID_PARAMETER;
}
DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
if (!auth_context) {
DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n",
user_info->mapped.account_name));
return NT_STATUS_INVALID_PARAMETER;
}
if (strequal(user_info->mapped.domain_name, get_global_sam_name())) {
DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n",
user_info->mapped.domain_name));
return NT_STATUS_NOT_IMPLEMENTED;
}
/* Send off request */
params.account_name = user_info->client.account_name;
/*
* We need to send the domain name from the client to the DC. With
* NTLMv2 the domain name is part of the hashed second challenge,
* if we change the domain name, the DC will fail to verify the
* challenge cause we changed the domain name, this is like a
* man in the middle attack.
*/
params.domain_name = user_info->client.domain_name;
params.workstation_name = user_info->workstation_name;
params.flags = 0;
params.parameter_control= user_info->logon_parameters;
params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
memcpy(params.password.response.challenge,
auth_context->challenge.data,
sizeof(params.password.response.challenge));
if (user_info->password.response.nt.length != 0) {
params.password.response.nt_length =
user_info->password.response.nt.length;
params.password.response.nt_data =
user_info->password.response.nt.data;
}
if (user_info->password.response.lanman.length != 0) {
params.password.response.lm_length =
user_info->password.response.lanman.length;
params.password.response.lm_data =
user_info->password.response.lanman.data;
}
/* we are contacting the privileged pipe */
become_root();
wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err);
unbecome_root();
if (!WBC_ERROR_IS_OK(wbc_status)) {
DEBUG(10,("check_winbind_security: wbcAuthenticateUserEx failed: %s\n",
wbcErrorString(wbc_status)));
}
if (wbc_status == WBC_ERR_NO_MEMORY) {
return NT_STATUS_NO_MEMORY;
}
if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
struct auth_methods *auth_method =
(struct auth_methods *)my_private_data;
if ( auth_method )
return auth_method->auth(auth_context, auth_method->private_data,
mem_ctx, user_info, server_info);
return NT_STATUS_LOGON_FAILURE;
}
if (wbc_status == WBC_ERR_AUTH_ERROR) {
nt_status = NT_STATUS(err->nt_status);
wbcFreeMemory(err);
return nt_status;
}
if (!WBC_ERROR_IS_OK(wbc_status)) {
return NT_STATUS_LOGON_FAILURE;
}
nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
user_info->client.account_name,
user_info->mapped.domain_name,
info, server_info);
wbcFreeMemory(info);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
(*server_info)->nss_token |= user_info->was_mapped;
return nt_status;
}
NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
const char *cli_name,
const char *princ_name,
struct PAC_LOGON_INFO *logon_info,
bool *is_mapped,
bool *mapped_to_guest,
char **ntuser,
char **ntdomain,
char **username,
struct passwd **_pw)
{
NTSTATUS status;
char *domain = NULL;
char *realm = NULL;
char *user = NULL;
char *p;
char *fuser = NULL;
char *unixuser = NULL;
struct passwd *pw = NULL;
DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
p = strchr_m(princ_name, '@');
if (!p) {
DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
princ_name));
return NT_STATUS_LOGON_FAILURE;
}
user = talloc_strndup(mem_ctx, princ_name, p - princ_name);
if (!user) {
return NT_STATUS_NO_MEMORY;
}
realm = talloc_strdup(talloc_tos(), p + 1);
if (!realm) {
return NT_STATUS_NO_MEMORY;
}
if (!strequal(realm, lp_realm())) {
DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
if (!lp_allow_trusted_domains()) {
return NT_STATUS_LOGON_FAILURE;
}
}
if (logon_info && logon_info->info3.base.domain.string) {
domain = talloc_strdup(mem_ctx,
logon_info->info3.base.domain.string);
if (!domain) {
return NT_STATUS_NO_MEMORY;
}
DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
} else {
/* If we have winbind running, we can (and must) shorten the
username by using the short netbios name. Otherwise we will
have inconsistent user names. With Kerberos, we get the
fully qualified realm, with ntlmssp we get the short
name. And even w2k3 does use ntlmssp if you for example
connect to an ip address. */
wbcErr wbc_status;
struct wbcDomainInfo *info = NULL;
DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
realm));
wbc_status = wbcDomainInfo(realm, &info);
if (WBC_ERROR_IS_OK(wbc_status)) {
domain = talloc_strdup(mem_ctx,
info->short_name);
wbcFreeMemory(info);
} else {
DEBUG(3, ("Could not find short name: %s\n",
wbcErrorString(wbc_status)));
domain = talloc_strdup(mem_ctx, realm);
}
if (!domain) {
return NT_STATUS_NO_MEMORY;
}
DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
}
fuser = talloc_asprintf(mem_ctx,
"%s%c%s",
domain,
*lp_winbind_separator(),
user);
if (!fuser) {
return NT_STATUS_NO_MEMORY;
}
*is_mapped = map_username(mem_ctx, fuser, &fuser);
if (!fuser) {
return NT_STATUS_NO_MEMORY;
}
pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
if (pw) {
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
}
/* if a real user check pam account restrictions */
/* only really perfomed if "obey pam restriction" is true */
/* do this before an eventual mapping to guest occurs */
status = smb_pam_accountcheck(pw->pw_name, cli_name);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("PAM account restrictions prevent user "
"[%s] login\n", unixuser));
return status;
}
}
if (!pw) {
/* this was originally the behavior of Samba 2.2, if a user
did not have a local uid but has been authenticated, then
map them to a guest account */
if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
*mapped_to_guest = true;
fuser = talloc_strdup(mem_ctx, lp_guestaccount());
if (!fuser) {
return NT_STATUS_NO_MEMORY;
}
pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
}
/* extra sanity check that the guest account is valid */
if (!pw) {
DEBUG(1, ("Username %s is invalid on this system\n",
fuser));
return NT_STATUS_LOGON_FAILURE;
}
}
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
}
*username = talloc_strdup(mem_ctx, unixuser);
if (!*username) {
return NT_STATUS_NO_MEMORY;
}
*ntuser = user;
*ntdomain = domain;
*_pw = pw;
return NT_STATUS_OK;
}
bool is_trusted_domain(const char* dom_name)
{
struct dom_sid trustdom_sid;
bool ret;
/* no trusted domains for a standalone server */
if ( lp_server_role() == ROLE_STANDALONE )
return false;
if (dom_name == NULL || dom_name[0] == '\0') {
return false;
}
if (strequal(dom_name, get_global_sam_name())) {
return false;
}
/* if we are a DC, then check for a direct trust relationships */
if ( IS_DC ) {
become_root();
DEBUG (5,("is_trusted_domain: Checking for domain trust with "
"[%s]\n", dom_name ));
ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
unbecome_root();
if (ret)
return true;
}
else {
wbcErr result;
/* If winbind is around, ask it */
result = wb_is_trusted_domain(dom_name);
if (result == WBC_ERR_SUCCESS) {
return true;
}
if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
/* winbind could not find the domain */
return false;
}
DEBUG(10, ("wb_is_trusted_domain returned error: %s\n",
wbcErrorString(result)));
/* The only other possible result is that winbind is not up
and running. We need to update the trustdom_cache
ourselves */
update_trustdom_cache();
}
/* now the trustdom cache should be available a DC could still
* have a transitive trust so fall back to the cache of trusted
* domains (like a domain member would use */
if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
return true;
}
return false;
}
/**
* @brief Convert a principal (as returned by @c gss_display_name) to a UID
*
* @param[in] name The principal of the user
* @param[out] uid The resulting UID
*
* @return true if successful, false otherwise
*/
bool principal2uid(char *principal, uid_t *uid, gid_t *gid)
#endif
{
#ifdef USE_NFSIDMAP
uid_t gss_uid = ANON_UID;
gid_t gss_gid = ANON_GID;
const gid_t *gss_gidres = NULL;
int rc;
bool success;
struct gsh_buffdesc princbuff = {
.addr = principal,
.len = strlen(principal)
};
#endif
if (nfs_param.nfsv4_param.use_getpwnam)
return false;
#ifdef USE_NFSIDMAP
PTHREAD_RWLOCK_rdlock(&idmapper_user_lock);
success =
idmapper_lookup_by_uname(&princbuff, &gss_uid, &gss_gidres, true);
if (success && gss_gidres)
gss_gid = *gss_gidres;
PTHREAD_RWLOCK_unlock(&idmapper_user_lock);
if (unlikely(!success)) {
if ((princbuff.len >= 4)
&& (!memcmp(princbuff.addr, "nfs/", 4)
|| !memcmp(princbuff.addr, "root/", 5)
|| !memcmp(princbuff.addr, "host/", 5))) {
/* NFSv4 specific features: RPCSEC_GSS will
* provide user like
*
* nfs/<host>
* root/<host>
* host/<host>
* choice is made to map them to root */
/* This is a "root" request made from the
hostbased nfs principal, use root */
*uid = 0;
return true;
}
/* nfs4_gss_princ_to_ids required to extract uid/gid
from gss creds */
rc = nfs4_gss_princ_to_ids("krb5", principal, &gss_uid,
&gss_gid);
if (rc) {
#ifdef _MSPAC_SUPPORT
bool found_uid = false;
bool found_gid = false;
if (gd->flags & SVC_RPC_GSS_FLAG_MSPAC) {
struct wbcAuthUserParams params;
wbcErr wbc_err;
struct wbcAuthUserInfo *info;
struct wbcAuthErrorInfo *error = NULL;
memset(¶ms, 0, sizeof(params));
params.level = WBC_AUTH_USER_LEVEL_PAC;
params.password.pac.data =
(uint8_t *) gd->pac.ms_pac.value;
params.password.pac.length =
gd->pac.ms_pac.length;
wbc_err =
wbcAuthenticateUserEx(¶ms, &info,
&error);
if (!WBC_ERROR_IS_OK(wbc_err)) {
LogCrit(COMPONENT_IDMAPPER,
"wbcAuthenticateUserEx returned %s",
wbcErrorString(wbc_err));
return false;
}
if (error) {
LogCrit(COMPONENT_IDMAPPER,
"nt_status: %s, display_string %s",
error->nt_string,
error->display_string);
wbcFreeMemory(error);
return false;
}
/* 1st SID is account sid, see wbclient.h */
wbc_err =
wbcSidToUid(&info->sids[0].sid, &gss_uid);
if (!WBC_ERROR_IS_OK(wbc_err)) {
LogCrit(COMPONENT_IDMAPPER,
"wbcSidToUid for uid returned %s",
wbcErrorString(wbc_err));
wbcFreeMemory(info);
return false;
}
/* 2nd SID is primary_group sid, see
wbclient.h */
wbc_err =
wbcSidToGid(&info->sids[1].sid, &gss_gid);
if (!WBC_ERROR_IS_OK(wbc_err)) {
LogCrit(COMPONENT_IDMAPPER,
"wbcSidToUid for gid returned %s\n",
wbcErrorString(wbc_err));
wbcFreeMemory(info);
return false;
}
wbcFreeMemory(info);
found_uid = true;
found_gid = true;
}
#endif /* _MSPAC_SUPPORT */
#ifdef _MSPAC_SUPPORT
if ((found_uid == true) && (found_gid == true))
goto principal_found;
#endif
return false;
}
#ifdef _MSPAC_SUPPORT
principal_found:
#endif
PTHREAD_RWLOCK_wrlock(&idmapper_user_lock);
success =
idmapper_add_user(&princbuff, gss_uid, &gss_gid, true);
PTHREAD_RWLOCK_unlock(&idmapper_user_lock);
if (!success) {
LogMajor(COMPONENT_IDMAPPER,
"idmapper_add_user(%s, %d, %d) failed",
principal, gss_uid, gss_gid);
}
}
*uid = gss_uid;
*gid = gss_gid;
return true;
#else /* !USE_NFSIDMAP */
assert(!"prohibited by configuration");
return false;
#endif
}
static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
const auth_usersupplied_info *user_info,
auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
wbcErr wbc_status;
struct wbcAuthUserParams params;
struct wbcAuthUserInfo *info = NULL;
struct wbcAuthErrorInfo *err = NULL;
if (!user_info) {
return NT_STATUS_INVALID_PARAMETER;
}
if (!auth_context) {
DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n",
user_info->internal_username));
return NT_STATUS_INVALID_PARAMETER;
}
if (strequal(user_info->domain, get_global_sam_name())) {
DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n",
user_info->domain));
return NT_STATUS_NOT_IMPLEMENTED;
}
/* Send off request */
params.account_name = user_info->smb_name;
params.domain_name = user_info->domain;
params.workstation_name = user_info->wksta_name;
params.flags = 0;
params.parameter_control= user_info->logon_parameters;
params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
memcpy(params.password.response.challenge,
auth_context->challenge.data,
sizeof(params.password.response.challenge));
params.password.response.nt_length = user_info->nt_resp.length;
params.password.response.nt_data = user_info->nt_resp.data;
params.password.response.lm_length = user_info->lm_resp.length;
params.password.response.lm_data = user_info->lm_resp.data;
/* we are contacting the privileged pipe */
become_root();
wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err);
unbecome_root();
if (!WBC_ERROR_IS_OK(wbc_status)) {
DEBUG(10,("check_winbind_security: wbcAuthenticateUserEx failed: %s\n",
wbcErrorString(wbc_status)));
}
if (wbc_status == WBC_ERR_NO_MEMORY) {
return NT_STATUS_NO_MEMORY;
}
if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
struct auth_methods *auth_method =
(struct auth_methods *)my_private_data;
if ( auth_method )
return auth_method->auth(auth_context, auth_method->private_data,
mem_ctx, user_info, server_info);
else
/* log an error since this should not happen */
DEBUG(0,("check_winbind_security: ERROR! my_private_data == NULL!\n"));
}
if (wbc_status == WBC_ERR_AUTH_ERROR) {
nt_status = NT_STATUS(err->nt_status);
wbcFreeMemory(err);
return nt_status;
}
if (!WBC_ERROR_IS_OK(wbc_status)) {
return NT_STATUS_LOGON_FAILURE;
}
nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
user_info->smb_name,
user_info->domain,
info, server_info);
wbcFreeMemory(info);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
(*server_info)->nss_token |= user_info->was_mapped;
return nt_status;
}
static int net_idmap_restore(struct net_context *c, int argc, const char **argv)
{
TALLOC_CTX *ctx;
FILE *input;
if (c->display_usage) {
d_printf(_("Usage:\n"
"net idmap restore [inputfile]\n"
" Restore ID mappings from file\n"
" inputfile\tFile to load ID mappings from. If "
"not given, load data from stdin.\n"));
return 0;
}
if (! winbind_ping()) {
d_fprintf(stderr,
_("To use net idmap Winbindd must be running.\n"));
return -1;
}
ctx = talloc_new(NULL);
ALLOC_CHECK(ctx);
if (argc == 1) {
input = fopen(argv[0], "r");
} else {
input = stdin;
}
while (!feof(input)) {
char line[128], sid_string[128];
int len;
struct wbcDomainSid sid;
enum id_type type = ID_TYPE_NOT_SPECIFIED;
unsigned long idval;
wbcErr wbc_status;
if (fgets(line, 127, input) == NULL)
break;
len = strlen(line);
if ( (len > 0) && (line[len-1] == '\n') )
line[len-1] = '\0';
if (sscanf(line, "GID %lu %128s", &idval, sid_string) == 2) {
type = ID_TYPE_GID;
} else if (sscanf(line, "UID %lu %128s", &idval, sid_string) == 2) {
type = ID_TYPE_UID;
} else if (sscanf(line, "USER HWM %lu", &idval) == 1) {
/* set uid hwm */
wbc_status = wbcSetUidHwm(idval);
if (!WBC_ERROR_IS_OK(wbc_status)) {
d_fprintf(stderr,
_("Could not set USER HWM: %s\n"),
wbcErrorString(wbc_status));
}
continue;
} else if (sscanf(line, "GROUP HWM %lu", &idval) == 1) {
/* set gid hwm */
wbc_status = wbcSetGidHwm(idval);
if (!WBC_ERROR_IS_OK(wbc_status)) {
d_fprintf(stderr,
_("Could not set GROUP HWM: %s\n"),
wbcErrorString(wbc_status));
}
continue;
} else {
d_fprintf(stderr, _("ignoring invalid line [%s]\n"),
line);
continue;
}
wbc_status = wbcStringToSid(sid_string, &sid);
if (!WBC_ERROR_IS_OK(wbc_status)) {
d_fprintf(stderr, _("ignoring invalid sid [%s]: %s\n"),
sid_string, wbcErrorString(wbc_status));
continue;
}
if (type == ID_TYPE_UID) {
wbc_status = wbcSetUidMapping(idval, &sid);
} else {
wbc_status = wbcSetGidMapping(idval, &sid);
}
if (!WBC_ERROR_IS_OK(wbc_status)) {
d_fprintf(stderr,
_("Could not set mapping of %s %lu to sid %s: %s\n"),
(type == ID_TYPE_GID) ? "GID" : "UID",
idval, sid_string,
wbcErrorString(wbc_status));
continue;
}
}
if (input != stdin) {
fclose(input);
}
talloc_free(ctx);
return 0;
}
