search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r2606: adding missing commits :-(
[Samba/gbeck.git] / source / nsswitch / winbindd_sid.c
blob97e676813dde211e1c14521834e49391d269025c
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - sid related functions
5
6 Copyright (C) Tim Potter 2000
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "winbindd.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_WINBIND
28
29 /* Convert a string */
30
31 enum winbindd_result winbindd_lookupsid(struct winbindd_cli_state *state)
32 {
33 enum SID_NAME_USE type;
34 DOM_SID sid;
35 fstring name;
36 fstring dom_name;
37
38 /* Ensure null termination */
39 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
40
41 DEBUG(3, ("[%5lu]: lookupsid %s\n", (unsigned long)state->pid,
42 state->request.data.sid));
43
44 /* Lookup sid from PDC using lsa_lookup_sids() */
45
46 if (!string_to_sid(&sid, state->request.data.sid)) {
47 DEBUG(5, ("%s not a SID\n", state->request.data.sid));
48 return WINBINDD_ERROR;
49 }
50
51 /* Lookup the sid */
52
53 if (!winbindd_lookup_name_by_sid(&sid, dom_name, name, &type)) {
54 return WINBINDD_ERROR;
55 }
56
57 fstrcpy(state->response.data.name.dom_name, dom_name);
58 fstrcpy(state->response.data.name.name, name);
59
60 state->response.data.name.type = type;
61
62 return WINBINDD_OK;
63 }
64
65
66 /**
67 * Look up the SID for a qualified name.
68 **/
69 enum winbindd_result winbindd_lookupname(struct winbindd_cli_state *state)
70 {
71 enum SID_NAME_USE type;
72 fstring sid_str;
73 char *name_domain, *name_user;
74 DOM_SID sid;
75 struct winbindd_domain *domain;
76 char *p;
77
78 /* Ensure null termination */
79 state->request.data.sid[sizeof(state->request.data.name.dom_name)-1]='\0';
80
81 /* Ensure null termination */
82 state->request.data.sid[sizeof(state->request.data.name.name)-1]='\0';
83
84 /* cope with the name being a fully qualified name */
85 p = strstr(state->request.data.name.name, lp_winbind_separator());
86 if (p) {
87 *p = 0;
88 name_domain = state->request.data.name.name;
89 name_user = p+1;
90 } else {
91 name_domain = state->request.data.name.dom_name;
92 name_user = state->request.data.name.name;
93 }
94
95 DEBUG(3, ("[%5lu]: lookupname %s%s%s\n", (unsigned long)state->pid,
96 name_domain, lp_winbind_separator(), name_user));
97
98 if ((domain = find_lookup_domain_from_name(name_domain)) == NULL) {
99 DEBUG(0, ("could not find domain entry for domain %s\n",
100 name_domain));
101 return WINBINDD_ERROR;
102 }
103
104 /* Lookup name from PDC using lsa_lookup_names() */
105 if (!winbindd_lookup_sid_by_name(domain, name_domain, name_user, &sid, &type)) {
106 return WINBINDD_ERROR;
107 }
108
109 sid_to_string(sid_str, &sid);
110 fstrcpy(state->response.data.sid.sid, sid_str);
111 state->response.data.sid.type = type;
112
113 return WINBINDD_OK;
114 }
115
116 /* Convert a sid to a uid. We assume we only have one rid attached to the
117 sid. */
118
119 enum winbindd_result winbindd_sid_to_uid(struct winbindd_cli_state *state)
120 {
121 DOM_SID sid;
122 NTSTATUS result;
123
124 /* Ensure null termination */
125 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
126
127 DEBUG(3, ("[%5lu]: sid to uid %s\n", (unsigned long)state->pid,
128 state->request.data.sid));
129
130 if (!string_to_sid(&sid, state->request.data.sid)) {
131 DEBUG(1, ("Could not get convert sid %s from string\n", state->request.data.sid));
132 return WINBINDD_ERROR;
133 }
134
135 /* This gets a little tricky. If we assume that usernames are syncd between
136 /etc/passwd and the windows domain (such as a member of a Samba domain),
137 the we need to get the uid from the OS and not alocate one ourselves */
138
139 if ( lp_winbind_trusted_domains_only() ) {
140 struct winbindd_domain *domain = NULL;
141 DOM_SID sid2;
142 uint32 rid;
143
144 domain = find_our_domain();
145 if ( !domain ) {
146 DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
147 return WINBINDD_ERROR;
148 }
149
150 sid_copy( &sid2, &sid );
151 sid_split_rid( &sid2, &rid );
152
153 if ( sid_equal( &sid2, &domain->sid ) ) {
154
155 fstring domain_name;
156 fstring user;
157 enum SID_NAME_USE type;
158 struct passwd *pw = NULL;
159 unid_t id;
160
161 /* ok...here's we know that we are dealing with our
162 own domain (the one to which we are joined). And
163 we know that there must be a UNIX account for this user.
164 So we lookup the sid and the call getpwnam().*/
165
166
167 /* But first check and see if we don't already have a mapping */
168
169 if ( NT_STATUS_IS_OK(idmap_sid_to_uid(&sid, &(state->response.data.uid), ID_QUERY_ONLY)) )
170 return WINBINDD_OK;
171
172 /* now fall back to the hard way */
173
174 if ( !winbindd_lookup_name_by_sid(&sid, domain_name, user, &type) )
175 return WINBINDD_ERROR;
176
177 if ( !(pw = getpwnam(user)) ) {
178 DEBUG(0,("winbindd_sid_to_uid: 'winbind trusted domains only' is "
179 "set but this user [%s] doesn't exist!\n", user));
180 return WINBINDD_ERROR;
181 }
182
183 state->response.data.uid = pw->pw_uid;
184
185 id.uid = pw->pw_uid;
186 idmap_set_mapping( &sid, id, ID_USERID );
187
188 return WINBINDD_OK;
189 }
190
191 }
192
193 /* Find uid for this sid and return it */
194
195 result = idmap_sid_to_uid(&sid, &(state->response.data.uid),
196 ID_QUERY_ONLY);
197
198 if (NT_STATUS_IS_OK(result))
199 return WINBINDD_OK;
200
201 if (state->request.flags & WBFLAG_QUERY_ONLY)
202 return WINBINDD_ERROR;
203
204 /* The query-only did not work, allocate a new uid *if* it's a user */
205
206 {
207 fstring dom_name, name;
208 enum SID_NAME_USE type;
209
210 if (!winbindd_lookup_name_by_sid(&sid, dom_name, name, &type))
211 return WINBINDD_ERROR;
212
213 if ((type != SID_NAME_USER) && (type != SID_NAME_COMPUTER))
214 return WINBINDD_ERROR;
215 }
216
217 result = idmap_sid_to_uid(&sid, &(state->response.data.uid), 0);
218
219 if (NT_STATUS_IS_OK(result))
220 return WINBINDD_OK;
221
222 DEBUG(1, ("Could not get uid for sid %s\n", state->request.data.sid));
223 return WINBINDD_ERROR;
224 }
225
226 /* Convert a sid to a gid. We assume we only have one rid attached to the
227 sid.*/
228
229 enum winbindd_result winbindd_sid_to_gid(struct winbindd_cli_state *state)
230 {
231 DOM_SID sid;
232 NTSTATUS result;
233
234 /* Ensure null termination */
235 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
236
237 DEBUG(3, ("[%5lu]: sid to gid %s\n", (unsigned long)state->pid,
238 state->request.data.sid));
239
240 if (!string_to_sid(&sid, state->request.data.sid)) {
241 DEBUG(1, ("Could not cvt string to sid %s\n", state->request.data.sid));
242 return WINBINDD_ERROR;
243 }
244
245 /* This gets a little tricky. If we assume that usernames are syncd between
246 /etc/passwd and the windows domain (such as a member of a Samba domain),
247 the we need to get the uid from the OS and not alocate one ourselves */
248
249 if ( lp_winbind_trusted_domains_only() ) {
250 struct winbindd_domain *domain = NULL;
251 DOM_SID sid2;
252 uint32 rid;
253 unid_t id;
254
255 domain = find_our_domain();
256 if ( !domain ) {
257 DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
258 return WINBINDD_ERROR;
259 }
260
261 sid_copy( &sid2, &sid );
262 sid_split_rid( &sid2, &rid );
263
264 if ( sid_equal( &sid2, &domain->sid ) ) {
265
266 fstring domain_name;
267 fstring group;
268 enum SID_NAME_USE type;
269 struct group *grp = NULL;
270
271 /* ok...here's we know that we are dealing with our
272 own domain (the one to which we are joined). And
273 we know that there must be a UNIX account for this group.
274 So we lookup the sid and the call getpwnam().*/
275
276 /* But first check and see if we don't already have a mapping */
277
278 if ( NT_STATUS_IS_OK(idmap_sid_to_gid(&sid, &(state->response.data.gid), ID_QUERY_ONLY)) )
279 return WINBINDD_OK;
280
281 /* now fall back to the hard way */
282
283 if ( !winbindd_lookup_name_by_sid(&sid, domain_name, group, &type) )
284 return WINBINDD_ERROR;
285
286 if ( !(grp = getgrnam(group)) ) {
287 DEBUG(0,("winbindd_sid_to_uid: 'winbind trusted domains only' is "
288 "set but this group [%s] doesn't exist!\n", group));
289 return WINBINDD_ERROR;
290 }
291
292 state->response.data.gid = grp->gr_gid;
293
294 id.gid = grp->gr_gid;
295 idmap_set_mapping( &sid, id, ID_GROUPID );
296
297 return WINBINDD_OK;
298 }
299
300 }
301
302 /* Find gid for this sid and return it */
303
304 result = idmap_sid_to_gid(&sid, &(state->response.data.gid),
305 ID_QUERY_ONLY);
306
307 if (NT_STATUS_IS_OK(result))
308 return WINBINDD_OK;
309
310 if (state->request.flags & WBFLAG_QUERY_ONLY)
311 return WINBINDD_ERROR;
312
313 /* The query-only did not work, allocate a new gid *if* it's a group */
314
315 {
316 fstring dom_name, name;
317 enum SID_NAME_USE type;
318
319 if (sid_check_is_in_our_domain(&sid)) {
320 /* This is for half-created aliases... */
321 type = SID_NAME_ALIAS;
322 } else {
323 /* Foreign domains need to be looked up by the DC if
324 * it's the right type */
325 if (!winbindd_lookup_name_by_sid(&sid, dom_name, name,
326 &type))
327 return WINBINDD_ERROR;
328 }
329
330 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
331 (type != SID_NAME_WKN_GRP))
332 return WINBINDD_ERROR;
333 }
334
335 result = idmap_sid_to_gid(&sid, &(state->response.data.gid), 0);
336
337 if (NT_STATUS_IS_OK(result))
338 return WINBINDD_OK;
339
340 DEBUG(1, ("Could not get gid for sid %s\n", state->request.data.sid));
341 return WINBINDD_ERROR;
342 }
343
344 /* Convert a uid to a sid */
345
346 enum winbindd_result winbindd_uid_to_sid(struct winbindd_cli_state *state)
347 {
348 DOM_SID sid;
349
350 DEBUG(3, ("[%5lu]: uid to sid %lu\n", (unsigned long)state->pid,
351 (unsigned long)state->request.data.uid));
352
353 if ( (state->request.data.uid < server_state.uid_low )
354 || (state->request.data.uid > server_state.uid_high) )
355 {
356 struct passwd *pw = NULL;
357 enum SID_NAME_USE type;
358 unid_t id;
359 struct winbindd_domain *domain;
360
361 /* SPECIAL CASE FOR MEMBERS OF SAMBA DOMAINS */
362
363 /* if we don't trust /etc/password then when can't know
364 anything about this uid */
365
366 if ( !lp_winbind_trusted_domains_only() )
367 return WINBINDD_ERROR;
368
369
370 /* look for an idmap entry first */
371
372 if ( NT_STATUS_IS_OK(idmap_uid_to_sid(&sid, state->request.data.uid)) )
373 goto done;
374
375 /* if users exist in /etc/passwd, we should try to
376 use that uid. Get the username and the lookup the SID */
377
378 if ( !(pw = getpwuid(state->request.data.uid)) )
379 return WINBINDD_ERROR;
380
381 if ( !(domain = find_our_domain()) ) {
382 DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
383 return WINBINDD_ERROR;
384 }
385
386 if ( !winbindd_lookup_sid_by_name(domain, domain->name, pw->pw_name, &sid, &type) )
387 return WINBINDD_ERROR;
388
389 if ( type != SID_NAME_USER )
390 return WINBINDD_ERROR;
391
392 /* don't fail if we can't store it */
393
394 id.uid = pw->pw_uid;
395 idmap_set_mapping( &sid, id, ID_USERID );
396
397 goto done;
398 }
399
400 /* Lookup rid for this uid */
401
402 if (!NT_STATUS_IS_OK(idmap_uid_to_sid(&sid, state->request.data.uid))) {
403 DEBUG(1, ("Could not convert uid %lu to rid\n",
404 (unsigned long)state->request.data.uid));
405 return WINBINDD_ERROR;
406 }
407
408 done:
409 sid_to_string(state->response.data.sid.sid, &sid);
410 state->response.data.sid.type = SID_NAME_USER;
411
412 return WINBINDD_OK;
413 }
414
415 /* Convert a gid to a sid */
416
417 enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state)
418 {
419 DOM_SID sid;
420
421 DEBUG(3, ("[%5lu]: gid to sid %lu\n", (unsigned long)state->pid,
422 (unsigned long)state->request.data.gid));
423
424 if ( (state->request.data.gid < server_state.gid_low)
425 || (state->request.data.gid > server_state.gid_high) )
426 {
427 struct group *grp = NULL;
428 enum SID_NAME_USE type;
429 unid_t id;
430 struct winbindd_domain *domain;
431
432 /* SPECIAL CASE FOR MEMBERS OF SAMBA DOMAINS */
433
434 /* if we don't trust /etc/group then when can't know
435 anything about this gid */
436
437 if ( !lp_winbind_trusted_domains_only() )
438 return WINBINDD_ERROR;
439
440 /* look for an idmap entry first */
441
442 if ( NT_STATUS_IS_OK(idmap_gid_to_sid(&sid, state->request.data.gid)) )
443 goto done;
444
445 /* if users exist in /etc/group, we should try to
446 use that gid. Get the username and the lookup the SID */
447
448 if ( !(grp = getgrgid(state->request.data.gid)) )
449 return WINBINDD_ERROR;
450
451 if ( !(domain = find_our_domain()) ) {
452 DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
453 return WINBINDD_ERROR;
454 }
455
456 if ( !winbindd_lookup_sid_by_name(domain, domain->name, grp->gr_name, &sid, &type) )
457 return WINBINDD_ERROR;
458
459 if ( type!=SID_NAME_DOM_GRP && type!=SID_NAME_ALIAS )
460 return WINBINDD_ERROR;
461
462 /* don't fail if we can't store it */
463
464 id.gid = grp->gr_gid;
465 idmap_set_mapping( &sid, id, ID_GROUPID );
466
467 goto done;
468 }
469
470 /* Lookup sid for this uid */
471
472 if (!NT_STATUS_IS_OK(idmap_gid_to_sid(&sid, state->request.data.gid))) {
473 DEBUG(1, ("Could not convert gid %lu to sid\n",
474 (unsigned long)state->request.data.gid));
475 return WINBINDD_ERROR;
476 }
477
478 done:
479 /* Construct sid and return it */
480 sid_to_string(state->response.data.sid.sid, &sid);
481 state->response.data.sid.type = SID_NAME_DOM_GRP;
482
483 return WINBINDD_OK;
484 }
485
486 enum winbindd_result winbindd_allocate_rid(struct winbindd_cli_state *state)
487 {
488 if ( !state->privileged ) {
489 DEBUG(2, ("winbindd_allocate_rid: non-privileged access "
490 "denied!\n"));
491 return WINBINDD_ERROR;
492 }
493
494 /* We tell idmap to always allocate a user RID. There might be a good
495 * reason to keep RID allocation for users to even and groups to
496 * odd. This needs discussion I think. For now only allocate user
497 * rids. */
498
499 if (!NT_STATUS_IS_OK(idmap_allocate_rid(&state->response.data.rid,
500 USER_RID_TYPE)))
501 return WINBINDD_ERROR;
502
503 return WINBINDD_OK;
504 }
WIP