2 Unix SMB/CIFS implementation.
4 Winbind daemon - sid related functions
6 Copyright (C) Tim Potter 2000
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 #define DBGC_CLASS DBGC_WINBIND
29 /* Convert a string */
31 enum winbindd_result
winbindd_lookupsid(struct winbindd_cli_state
*state
)
33 enum SID_NAME_USE type
;
38 /* Ensure null termination */
39 state
->request
.data
.sid
[sizeof(state
->request
.data
.sid
)-1]='\0';
41 DEBUG(3, ("[%5lu]: lookupsid %s\n", (unsigned long)state
->pid
,
42 state
->request
.data
.sid
));
44 /* Lookup sid from PDC using lsa_lookup_sids() */
46 if (!string_to_sid(&sid
, state
->request
.data
.sid
)) {
47 DEBUG(5, ("%s not a SID\n", state
->request
.data
.sid
));
48 return WINBINDD_ERROR
;
53 if (!winbindd_lookup_name_by_sid(&sid
, dom_name
, name
, &type
)) {
54 return WINBINDD_ERROR
;
57 fstrcpy(state
->response
.data
.name
.dom_name
, dom_name
);
58 fstrcpy(state
->response
.data
.name
.name
, name
);
60 state
->response
.data
.name
.type
= type
;
67 * Look up the SID for a qualified name.
69 enum winbindd_result
winbindd_lookupname(struct winbindd_cli_state
*state
)
71 enum SID_NAME_USE type
;
73 char *name_domain
, *name_user
;
75 struct winbindd_domain
*domain
;
78 /* Ensure null termination */
79 state
->request
.data
.sid
[sizeof(state
->request
.data
.name
.dom_name
)-1]='\0';
81 /* Ensure null termination */
82 state
->request
.data
.sid
[sizeof(state
->request
.data
.name
.name
)-1]='\0';
84 /* cope with the name being a fully qualified name */
85 p
= strstr(state
->request
.data
.name
.name
, lp_winbind_separator());
88 name_domain
= state
->request
.data
.name
.name
;
91 name_domain
= state
->request
.data
.name
.dom_name
;
92 name_user
= state
->request
.data
.name
.name
;
95 DEBUG(3, ("[%5lu]: lookupname %s%s%s\n", (unsigned long)state
->pid
,
96 name_domain
, lp_winbind_separator(), name_user
));
98 if ((domain
= find_lookup_domain_from_name(name_domain
)) == NULL
) {
99 DEBUG(0, ("could not find domain entry for domain %s\n",
101 return WINBINDD_ERROR
;
104 /* Lookup name from PDC using lsa_lookup_names() */
105 if (!winbindd_lookup_sid_by_name(domain
, name_domain
, name_user
, &sid
, &type
)) {
106 return WINBINDD_ERROR
;
109 sid_to_string(sid_str
, &sid
);
110 fstrcpy(state
->response
.data
.sid
.sid
, sid_str
);
111 state
->response
.data
.sid
.type
= type
;
116 /* Convert a sid to a uid. We assume we only have one rid attached to the
119 enum winbindd_result
winbindd_sid_to_uid(struct winbindd_cli_state
*state
)
124 /* Ensure null termination */
125 state
->request
.data
.sid
[sizeof(state
->request
.data
.sid
)-1]='\0';
127 DEBUG(3, ("[%5lu]: sid to uid %s\n", (unsigned long)state
->pid
,
128 state
->request
.data
.sid
));
130 if (!string_to_sid(&sid
, state
->request
.data
.sid
)) {
131 DEBUG(1, ("Could not get convert sid %s from string\n", state
->request
.data
.sid
));
132 return WINBINDD_ERROR
;
135 /* This gets a little tricky. If we assume that usernames are syncd between
136 /etc/passwd and the windows domain (such as a member of a Samba domain),
137 the we need to get the uid from the OS and not alocate one ourselves */
139 if ( lp_winbind_trusted_domains_only() ) {
140 struct winbindd_domain
*domain
= NULL
;
144 domain
= find_our_domain();
146 DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
147 return WINBINDD_ERROR
;
150 sid_copy( &sid2
, &sid
);
151 sid_split_rid( &sid2
, &rid
);
153 if ( sid_equal( &sid2
, &domain
->sid
) ) {
157 enum SID_NAME_USE type
;
158 struct passwd
*pw
= NULL
;
161 /* ok...here's we know that we are dealing with our
162 own domain (the one to which we are joined). And
163 we know that there must be a UNIX account for this user.
164 So we lookup the sid and the call getpwnam().*/
167 /* But first check and see if we don't already have a mapping */
169 if ( NT_STATUS_IS_OK(idmap_sid_to_uid(&sid
, &(state
->response
.data
.uid
), ID_QUERY_ONLY
)) )
172 /* now fall back to the hard way */
174 if ( !winbindd_lookup_name_by_sid(&sid
, domain_name
, user
, &type
) )
175 return WINBINDD_ERROR
;
177 if ( !(pw
= getpwnam(user
)) ) {
178 DEBUG(0,("winbindd_sid_to_uid: 'winbind trusted domains only' is "
179 "set but this user [%s] doesn't exist!\n", user
));
180 return WINBINDD_ERROR
;
183 state
->response
.data
.uid
= pw
->pw_uid
;
186 idmap_set_mapping( &sid
, id
, ID_USERID
);
193 /* Find uid for this sid and return it */
195 result
= idmap_sid_to_uid(&sid
, &(state
->response
.data
.uid
),
198 if (NT_STATUS_IS_OK(result
))
201 if (state
->request
.flags
& WBFLAG_QUERY_ONLY
)
202 return WINBINDD_ERROR
;
204 /* The query-only did not work, allocate a new uid *if* it's a user */
207 fstring dom_name
, name
;
208 enum SID_NAME_USE type
;
210 if (!winbindd_lookup_name_by_sid(&sid
, dom_name
, name
, &type
))
211 return WINBINDD_ERROR
;
213 if ((type
!= SID_NAME_USER
) && (type
!= SID_NAME_COMPUTER
))
214 return WINBINDD_ERROR
;
217 result
= idmap_sid_to_uid(&sid
, &(state
->response
.data
.uid
), 0);
219 if (NT_STATUS_IS_OK(result
))
222 DEBUG(1, ("Could not get uid for sid %s\n", state
->request
.data
.sid
));
223 return WINBINDD_ERROR
;
226 /* Convert a sid to a gid. We assume we only have one rid attached to the
229 enum winbindd_result
winbindd_sid_to_gid(struct winbindd_cli_state
*state
)
234 /* Ensure null termination */
235 state
->request
.data
.sid
[sizeof(state
->request
.data
.sid
)-1]='\0';
237 DEBUG(3, ("[%5lu]: sid to gid %s\n", (unsigned long)state
->pid
,
238 state
->request
.data
.sid
));
240 if (!string_to_sid(&sid
, state
->request
.data
.sid
)) {
241 DEBUG(1, ("Could not cvt string to sid %s\n", state
->request
.data
.sid
));
242 return WINBINDD_ERROR
;
245 /* This gets a little tricky. If we assume that usernames are syncd between
246 /etc/passwd and the windows domain (such as a member of a Samba domain),
247 the we need to get the uid from the OS and not alocate one ourselves */
249 if ( lp_winbind_trusted_domains_only() ) {
250 struct winbindd_domain
*domain
= NULL
;
255 domain
= find_our_domain();
257 DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
258 return WINBINDD_ERROR
;
261 sid_copy( &sid2
, &sid
);
262 sid_split_rid( &sid2
, &rid
);
264 if ( sid_equal( &sid2
, &domain
->sid
) ) {
268 enum SID_NAME_USE type
;
269 struct group
*grp
= NULL
;
271 /* ok...here's we know that we are dealing with our
272 own domain (the one to which we are joined). And
273 we know that there must be a UNIX account for this group.
274 So we lookup the sid and the call getpwnam().*/
276 /* But first check and see if we don't already have a mapping */
278 if ( NT_STATUS_IS_OK(idmap_sid_to_gid(&sid
, &(state
->response
.data
.gid
), ID_QUERY_ONLY
)) )
281 /* now fall back to the hard way */
283 if ( !winbindd_lookup_name_by_sid(&sid
, domain_name
, group
, &type
) )
284 return WINBINDD_ERROR
;
286 if ( !(grp
= getgrnam(group
)) ) {
287 DEBUG(0,("winbindd_sid_to_uid: 'winbind trusted domains only' is "
288 "set but this group [%s] doesn't exist!\n", group
));
289 return WINBINDD_ERROR
;
292 state
->response
.data
.gid
= grp
->gr_gid
;
294 id
.gid
= grp
->gr_gid
;
295 idmap_set_mapping( &sid
, id
, ID_GROUPID
);
302 /* Find gid for this sid and return it */
304 result
= idmap_sid_to_gid(&sid
, &(state
->response
.data
.gid
),
307 if (NT_STATUS_IS_OK(result
))
310 if (state
->request
.flags
& WBFLAG_QUERY_ONLY
)
311 return WINBINDD_ERROR
;
313 /* The query-only did not work, allocate a new gid *if* it's a group */
316 fstring dom_name
, name
;
317 enum SID_NAME_USE type
;
319 if (sid_check_is_in_our_domain(&sid
)) {
320 /* This is for half-created aliases... */
321 type
= SID_NAME_ALIAS
;
323 /* Foreign domains need to be looked up by the DC if
324 * it's the right type */
325 if (!winbindd_lookup_name_by_sid(&sid
, dom_name
, name
,
327 return WINBINDD_ERROR
;
330 if ((type
!= SID_NAME_DOM_GRP
) && (type
!= SID_NAME_ALIAS
) &&
331 (type
!= SID_NAME_WKN_GRP
))
332 return WINBINDD_ERROR
;
335 result
= idmap_sid_to_gid(&sid
, &(state
->response
.data
.gid
), 0);
337 if (NT_STATUS_IS_OK(result
))
340 DEBUG(1, ("Could not get gid for sid %s\n", state
->request
.data
.sid
));
341 return WINBINDD_ERROR
;
344 /* Convert a uid to a sid */
346 enum winbindd_result
winbindd_uid_to_sid(struct winbindd_cli_state
*state
)
350 DEBUG(3, ("[%5lu]: uid to sid %lu\n", (unsigned long)state
->pid
,
351 (unsigned long)state
->request
.data
.uid
));
353 if ( (state
->request
.data
.uid
< server_state
.uid_low
)
354 || (state
->request
.data
.uid
> server_state
.uid_high
) )
356 struct passwd
*pw
= NULL
;
357 enum SID_NAME_USE type
;
359 struct winbindd_domain
*domain
;
361 /* SPECIAL CASE FOR MEMBERS OF SAMBA DOMAINS */
363 /* if we don't trust /etc/password then when can't know
364 anything about this uid */
366 if ( !lp_winbind_trusted_domains_only() )
367 return WINBINDD_ERROR
;
370 /* look for an idmap entry first */
372 if ( NT_STATUS_IS_OK(idmap_uid_to_sid(&sid
, state
->request
.data
.uid
)) )
375 /* if users exist in /etc/passwd, we should try to
376 use that uid. Get the username and the lookup the SID */
378 if ( !(pw
= getpwuid(state
->request
.data
.uid
)) )
379 return WINBINDD_ERROR
;
381 if ( !(domain
= find_our_domain()) ) {
382 DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
383 return WINBINDD_ERROR
;
386 if ( !winbindd_lookup_sid_by_name(domain
, domain
->name
, pw
->pw_name
, &sid
, &type
) )
387 return WINBINDD_ERROR
;
389 if ( type
!= SID_NAME_USER
)
390 return WINBINDD_ERROR
;
392 /* don't fail if we can't store it */
395 idmap_set_mapping( &sid
, id
, ID_USERID
);
400 /* Lookup rid for this uid */
402 if (!NT_STATUS_IS_OK(idmap_uid_to_sid(&sid
, state
->request
.data
.uid
))) {
403 DEBUG(1, ("Could not convert uid %lu to rid\n",
404 (unsigned long)state
->request
.data
.uid
));
405 return WINBINDD_ERROR
;
409 sid_to_string(state
->response
.data
.sid
.sid
, &sid
);
410 state
->response
.data
.sid
.type
= SID_NAME_USER
;
415 /* Convert a gid to a sid */
417 enum winbindd_result
winbindd_gid_to_sid(struct winbindd_cli_state
*state
)
421 DEBUG(3, ("[%5lu]: gid to sid %lu\n", (unsigned long)state
->pid
,
422 (unsigned long)state
->request
.data
.gid
));
424 if ( (state
->request
.data
.gid
< server_state
.gid_low
)
425 || (state
->request
.data
.gid
> server_state
.gid_high
) )
427 struct group
*grp
= NULL
;
428 enum SID_NAME_USE type
;
430 struct winbindd_domain
*domain
;
432 /* SPECIAL CASE FOR MEMBERS OF SAMBA DOMAINS */
434 /* if we don't trust /etc/group then when can't know
435 anything about this gid */
437 if ( !lp_winbind_trusted_domains_only() )
438 return WINBINDD_ERROR
;
440 /* look for an idmap entry first */
442 if ( NT_STATUS_IS_OK(idmap_gid_to_sid(&sid
, state
->request
.data
.gid
)) )
445 /* if users exist in /etc/group, we should try to
446 use that gid. Get the username and the lookup the SID */
448 if ( !(grp
= getgrgid(state
->request
.data
.gid
)) )
449 return WINBINDD_ERROR
;
451 if ( !(domain
= find_our_domain()) ) {
452 DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
453 return WINBINDD_ERROR
;
456 if ( !winbindd_lookup_sid_by_name(domain
, domain
->name
, grp
->gr_name
, &sid
, &type
) )
457 return WINBINDD_ERROR
;
459 if ( type
!=SID_NAME_DOM_GRP
&& type
!=SID_NAME_ALIAS
)
460 return WINBINDD_ERROR
;
462 /* don't fail if we can't store it */
464 id
.gid
= grp
->gr_gid
;
465 idmap_set_mapping( &sid
, id
, ID_GROUPID
);
470 /* Lookup sid for this uid */
472 if (!NT_STATUS_IS_OK(idmap_gid_to_sid(&sid
, state
->request
.data
.gid
))) {
473 DEBUG(1, ("Could not convert gid %lu to sid\n",
474 (unsigned long)state
->request
.data
.gid
));
475 return WINBINDD_ERROR
;
479 /* Construct sid and return it */
480 sid_to_string(state
->response
.data
.sid
.sid
, &sid
);
481 state
->response
.data
.sid
.type
= SID_NAME_DOM_GRP
;
486 enum winbindd_result
winbindd_allocate_rid(struct winbindd_cli_state
*state
)
488 if ( !state
->privileged
) {
489 DEBUG(2, ("winbindd_allocate_rid: non-privileged access "
491 return WINBINDD_ERROR
;
494 /* We tell idmap to always allocate a user RID. There might be a good
495 * reason to keep RID allocation for users to even and groups to
496 * odd. This needs discussion I think. For now only allocate user
499 if (!NT_STATUS_IS_OK(idmap_allocate_rid(&state
->response
.data
.rid
,
501 return WINBINDD_ERROR
;