search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
if we are adding a new sambaAccount, make sure that we add a
[Samba.git] / source / lib / domain_namemap.c
blob81b519a88d6342aca76d2f2cc1b086c0d3d640e4
1 /*
2 Unix SMB/Netbios implementation.
3 Version 1.9.
4 Groupname handling
5 Copyright (C) Jeremy Allison 1998.
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */
21
22 /*
23 * UNIX gid and Local or Domain SID resolution. This module resolves
24 * only those entries in the map files, it is *NOT* responsible for
25 * resolving UNIX groups not listed: that is an entirely different
26 * matter, altogether...
27 */
28
29 /*
30 *
31 *
32
33 format of the file is:
34
35 unixname NT Group name
36 unixname Domain Admins (well-known Domain Group)
37 unixname DOMAIN_NAME\NT Group name
38 unixname OTHER_DOMAIN_NAME\NT Group name
39 unixname DOMAIN_NAME\Domain Admins (well-known Domain Group)
40 ....
41
42 if the DOMAIN_NAME\ component is left off, then your own domain is assumed.
43
44 *
45 *
46 */
47
48
49 #include "includes.h"
50
51 extern fstring global_myworkgroup;
52 extern DOM_SID global_member_sid;
53 extern fstring global_sam_name;
54 extern DOM_SID global_sam_sid;
55 extern DOM_SID global_sid_S_1_5_20;
56
57 /*******************************************************************
58 converts UNIX uid to an NT User RID. NOTE: IS SOMETHING SPECIFIC TO SAMBA
59 ********************************************************************/
60 static uid_t pwdb_user_rid_to_uid(uint32 user_rid)
61 {
62 return ((user_rid & (~RID_TYPE_USER))- 1000)/RID_MULTIPLIER;
63 }
64
65 /*******************************************************************
66 converts NT Group RID to a UNIX uid. NOTE: IS SOMETHING SPECIFIC TO SAMBA
67 ********************************************************************/
68 static uint32 pwdb_group_rid_to_gid(uint32 group_rid)
69 {
70 return ((group_rid & (~RID_TYPE_GROUP))- 1000)/RID_MULTIPLIER;
71 }
72
73 /*******************************************************************
74 converts NT Alias RID to a UNIX uid. NOTE: IS SOMETHING SPECIFIC TO SAMBA
75 ********************************************************************/
76 static uint32 pwdb_alias_rid_to_gid(uint32 alias_rid)
77 {
78 return ((alias_rid & (~RID_TYPE_ALIAS))- 1000)/RID_MULTIPLIER;
79 }
80
81 /*******************************************************************
82 converts NT Group RID to a UNIX uid. NOTE: IS SOMETHING SPECIFIC TO SAMBA
83 ********************************************************************/
84 static uint32 pwdb_gid_to_group_rid(uint32 gid)
85 {
86 uint32 grp_rid = ((((gid)*RID_MULTIPLIER) + 1000) | RID_TYPE_GROUP);
87 return grp_rid;
88 }
89
90 /******************************************************************
91 converts UNIX gid to an NT Alias RID. NOTE: IS SOMETHING SPECIFIC TO SAMBA
92 ********************************************************************/
93 static uint32 pwdb_gid_to_alias_rid(uint32 gid)
94 {
95 uint32 alias_rid = ((((gid)*RID_MULTIPLIER) + 1000) | RID_TYPE_ALIAS);
96 return alias_rid;
97 }
98
99 /*******************************************************************
100 converts UNIX uid to an NT User RID. NOTE: IS SOMETHING SPECIFIC TO SAMBA
101 ********************************************************************/
102 static uint32 pwdb_uid_to_user_rid(uint32 uid)
103 {
104 uint32 user_rid = ((((uid)*RID_MULTIPLIER) + 1000) | RID_TYPE_USER);
105 return user_rid;
106 }
107
108 /******************************************************************
109 converts SID + SID_NAME_USE type to a UNIX id. the Domain SID is,
110 and can only be, our own SID.
111 ********************************************************************/
112 static BOOL pwdb_sam_sid_to_unixid(DOM_SID *sid, uint8 type, uint32 *id)
113 {
114 DOM_SID tmp_sid;
115 uint32 rid;
116
117 sid_copy(&tmp_sid, sid);
118 sid_split_rid(&tmp_sid, &rid);
119 if (!sid_equal(&global_sam_sid, &tmp_sid))
120 {
121 return False;
122 }
123
124 switch (type)
125 {
126 case SID_NAME_USER:
127 {
128 *id = pwdb_user_rid_to_uid(rid);
129 return True;
130 }
131 case SID_NAME_ALIAS:
132 {
133 *id = pwdb_alias_rid_to_gid(rid);
134 return True;
135 }
136 case SID_NAME_DOM_GRP:
137 case SID_NAME_WKN_GRP:
138 {
139 *id = pwdb_group_rid_to_gid(rid);
140 return True;
141 }
142 }
143 return False;
144 }
145
146 /******************************************************************
147 converts UNIX gid + SID_NAME_USE type to a SID. the Domain SID is,
148 and can only be, our own SID.
149 ********************************************************************/
150 static BOOL pwdb_unixid_to_sam_sid(uint32 id, uint8 type, DOM_SID *sid)
151 {
152 sid_copy(sid, &global_sam_sid);
153 switch (type)
154 {
155 case SID_NAME_USER:
156 {
157 sid_append_rid(sid, pwdb_uid_to_user_rid(id));
158 return True;
159 }
160 case SID_NAME_ALIAS:
161 {
162 sid_append_rid(sid, pwdb_gid_to_alias_rid(id));
163 return True;
164 }
165 case SID_NAME_DOM_GRP:
166 case SID_NAME_WKN_GRP:
167 {
168 sid_append_rid(sid, pwdb_gid_to_group_rid(id));
169 return True;
170 }
171 }
172 return False;
173 }
174
175 /*******************************************************************
176 Decides if a RID is a well known RID.
177 ********************************************************************/
178 static BOOL pwdb_rid_is_well_known(uint32 rid)
179 {
180 return (rid < 1000);
181 }
182
183 /*******************************************************************
184 determines a rid's type. NOTE: THIS IS SOMETHING SPECIFIC TO SAMBA
185 ********************************************************************/
186 static uint32 pwdb_rid_type(uint32 rid)
187 {
188 /* lkcl i understand that NT attaches an enumeration to a RID
189 * such that it can be identified as either a user, group etc
190 * type: SID_ENUM_TYPE.
191 */
192 if (pwdb_rid_is_well_known(rid))
193 {
194 /*
195 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
196 * and DOMAIN_USER_RID_GUEST.
197 */
198 if (rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
199 {
200 return RID_TYPE_USER;
201 }
202 if (DOMAIN_GROUP_RID_ADMINS <= rid && rid <= DOMAIN_GROUP_RID_GUESTS)
203 {
204 return RID_TYPE_GROUP;
205 }
206 if (BUILTIN_ALIAS_RID_ADMINS <= rid && rid <= BUILTIN_ALIAS_RID_REPLICATOR)
207 {
208 return RID_TYPE_ALIAS;
209 }
210 }
211 return (rid & RID_TYPE_MASK);
212 }
213
214 /*******************************************************************
215 checks whether rid is a user rid. NOTE: THIS IS SOMETHING SPECIFIC TO SAMBA
216 ********************************************************************/
217 BOOL pwdb_rid_is_user(uint32 rid)
218 {
219 return pwdb_rid_type(rid) == RID_TYPE_USER;
220 }
221
222 /**************************************************************************
223 Groupname map functionality. The code loads a groupname map file and
224 (currently) loads it into a linked list. This is slow and memory
225 hungry, but can be changed into a more efficient storage format
226 if the demands on it become excessive.
227 ***************************************************************************/
228
229 typedef struct name_map
230 {
231 ubi_slNode next;
232 DOM_NAME_MAP grp;
233
234 } name_map_entry;
235
236 static ubi_slList groupname_map_list;
237 static ubi_slList aliasname_map_list;
238 static ubi_slList ntusrname_map_list;
239
240 static void delete_name_entry(name_map_entry *gmep)
241 {
242 SAFE_FREE(gmep->grp.nt_name);
243 SAFE_FREE(gmep->grp.nt_domain);
244 SAFE_FREE(gmep->grp.unix_name);
245 SAFE_FREE(gmep);
246 }
247
248 /**************************************************************************
249 Delete all the entries in the name map list.
250 ***************************************************************************/
251
252 static void delete_map_list(ubi_slList *map_list)
253 {
254 name_map_entry *gmep;
255
256 while ((gmep = (name_map_entry *)ubi_slRemHead(map_list )) != NULL)
257 {
258 delete_name_entry(gmep);
259 }
260 }
261
262
263 /**************************************************************************
264 makes a group sid out of a domain sid and a _unix_ gid.
265 ***************************************************************************/
266 static BOOL make_mydomain_sid(DOM_NAME_MAP *grp, DOM_MAP_TYPE type)
267 {
268 int ret = False;
269 fstring sid_str;
270
271 if (!map_domain_name_to_sid(&grp->sid, &(grp->nt_domain)))
272 {
273 DEBUG(0,("make_mydomain_sid: unknown domain %s\n",
274 grp->nt_domain));
275 return False;
276 }
277
278 if (sid_equal(&grp->sid, &global_sid_S_1_5_20))
279 {
280 /*
281 * only builtin aliases are recognised in S-1-5-20
282 */
283 DEBUG(10,("make_mydomain_sid: group %s in builtin domain\n",
284 grp->nt_name));
285
286 if (lookup_builtin_alias_name(grp->nt_name, "BUILTIN", &grp->sid, &grp->type) != 0x0)
287 {
288 DEBUG(0,("unix group %s mapped to an unrecognised BUILTIN domain name %s\n",
289 grp->unix_name, grp->nt_name));
290 return False;
291 }
292 ret = True;
293 }
294 else if (lookup_wk_user_name(grp->nt_name, grp->nt_domain, &grp->sid, &grp->type) == 0x0)
295 {
296 if (type != DOM_MAP_USER)
297 {
298 DEBUG(0,("well-known NT user %s\\%s listed in wrong map file\n",
299 grp->nt_domain, grp->nt_name));
300 return False;
301 }
302 ret = True;
303 }
304 else if (lookup_wk_group_name(grp->nt_name, grp->nt_domain, &grp->sid, &grp->type) == 0x0)
305 {
306 if (type != DOM_MAP_DOMAIN)
307 {
308 DEBUG(0,("well-known NT group %s\\%s listed in wrong map file\n",
309 grp->nt_domain, grp->nt_name));
310 return False;
311 }
312 ret = True;
313 }
314 else
315 {
316 switch (type)
317 {
318 case DOM_MAP_USER:
319 {
320 grp->type = SID_NAME_USER;
321 break;
322 }
323 case DOM_MAP_DOMAIN:
324 {
325 grp->type = SID_NAME_DOM_GRP;
326 break;
327 }
328 case DOM_MAP_LOCAL:
329 {
330 grp->type = SID_NAME_ALIAS;
331 break;
332 }
333 }
334
335 ret = pwdb_unixid_to_sam_sid(grp->unix_id, grp->type, &grp->sid);
336 }
337
338 sid_to_string(sid_str, &grp->sid);
339 DEBUG(10,("nt name %s\\%s gid %d mapped to %s\n",
340 grp->nt_domain, grp->nt_name, grp->unix_id, sid_str));
341 return ret;
342 }
343
344 /**************************************************************************
345 makes a group sid out of an nt domain, nt group name or a unix group name.
346 ***************************************************************************/
347 static BOOL unix_name_to_nt_name_info(DOM_NAME_MAP *map, DOM_MAP_TYPE type)
348 {
349 /*
350 * Attempt to get the unix gid_t for this name.
351 */
352
353 DEBUG(5,("unix_name_to_nt_name_info: unix_name:%s\n", map->unix_name));
354
355 if (type == DOM_MAP_USER)
356 {
357 const struct passwd *pwptr = Get_Pwnam(map->unix_name, False);
358 if (pwptr == NULL)
359 {
360 DEBUG(0,("unix_name_to_nt_name_info: Get_Pwnam for user %s\
361 failed. Error was %s.\n", map->unix_name, strerror(errno) ));
362 return False;
363 }
364
365 map->unix_id = (uint32)pwptr->pw_uid;
366 }
367 else
368 {
369 struct group *gptr = getgrnam(map->unix_name);
370 if (gptr == NULL)
371 {
372 DEBUG(0,("unix_name_to_nt_name_info: getgrnam for group %s\
373 failed. Error was %s.\n", map->unix_name, strerror(errno) ));
374 return False;
375 }
376
377 map->unix_id = (uint32)gptr->gr_gid;
378 }
379
380 DEBUG(5,("unix_name_to_nt_name_info: unix gid:%d\n", map->unix_id));
381
382 /*
383 * Now map the name to an NT SID+RID.
384 */
385
386 if (map->nt_domain != NULL && !strequal(map->nt_domain, global_sam_name))
387 {
388 /* Must add client-call lookup code here, to
389 * resolve remote domain's sid and the group's rid,
390 * in that domain.
391 *
392 * NOTE: it is _incorrect_ to put code here that assumes
393 * we are responsible for lookups for foriegn domains' RIDs.
394 *
395 * for foriegn domains for which we are *NOT* the PDC, all
396 * we can be responsible for is the unix gid_t to which
397 * the foriegn SID+rid maps to, on this _local_ machine.
398 * we *CANNOT* make any short-cuts or assumptions about
399 * RIDs in a foriegn domain.
400 */
401
402 if (!map_domain_name_to_sid(&map->sid, &(map->nt_domain)))
403 {
404 DEBUG(0,("unix_name_to_nt_name_info: no known sid for %s\n",
405 map->nt_domain));
406 return False;
407 }
408 }
409
410 return make_mydomain_sid(map, type);
411 }
412
413 static BOOL make_name_entry(name_map_entry **new_ep,
414 char *nt_domain, char *nt_group, char *unix_group,
415 DOM_MAP_TYPE type)
416 {
417 /*
418 * Create the list entry and add it onto the list.
419 */
420
421 DEBUG(5,("make_name_entry:%s,%s,%s\n", nt_domain, nt_group, unix_group));
422
423 (*new_ep) = (name_map_entry *)malloc(sizeof(name_map_entry));
424 if ((*new_ep) == NULL)
425 {
426 DEBUG(0,("make_name_entry: malloc fail for name_map_entry.\n"));
427 return False;
428 }
429
430 ZERO_STRUCTP(*new_ep);
431
432 (*new_ep)->grp.nt_name = strdup(nt_group );
433 (*new_ep)->grp.nt_domain = strdup(nt_domain );
434 (*new_ep)->grp.unix_name = strdup(unix_group);
435
436 if ((*new_ep)->grp.nt_name == NULL ||
437 (*new_ep)->grp.unix_name == NULL)
438 {
439 DEBUG(0,("make_name_entry: malloc fail for names in name_map_entry.\n"));
440 delete_name_entry((*new_ep));
441 return False;
442 }
443
444 /*
445 * look up the group names, make the Group-SID and unix gid
446 */
447
448 if (!unix_name_to_nt_name_info(&(*new_ep)->grp, type))
449 {
450 delete_name_entry((*new_ep));
451 return False;
452 }
453
454 return True;
455 }
456
457 /**************************************************************************
458 Load a name map file. Sets last accessed timestamp.
459 ***************************************************************************/
460 static ubi_slList *load_name_map(DOM_MAP_TYPE type)
461 {
462 static time_t groupmap_file_last_modified = (time_t)0;
463 static time_t aliasmap_file_last_modified = (time_t)0;
464 static time_t ntusrmap_file_last_modified = (time_t)0;
465 static BOOL initialised_group = False;
466 static BOOL initialised_alias = False;
467 static BOOL initialised_ntusr = False;
468 char *groupname_map_file = lp_groupname_map();
469 char *aliasname_map_file = lp_aliasname_map();
470 char *ntusrname_map_file = lp_ntusrname_map();
471
472 FILE *fp;
473 char *s;
474 pstring buf;
475 name_map_entry *new_ep;
476
477 time_t *file_last_modified = NULL;
478 int *initialised = NULL;
479 char *map_file = NULL;
480 ubi_slList *map_list = NULL;
481
482 switch (type)
483 {
484 case DOM_MAP_DOMAIN:
485 {
486 file_last_modified = &groupmap_file_last_modified;
487 initialised = &initialised_group;
488 map_file = groupname_map_file;
489 map_list = &groupname_map_list;
490
491 break;
492 }
493 case DOM_MAP_LOCAL:
494 {
495 file_last_modified = &aliasmap_file_last_modified;
496 initialised = &initialised_alias;
497 map_file = aliasname_map_file;
498 map_list = &aliasname_map_list;
499
500 break;
501 }
502 case DOM_MAP_USER:
503 {
504 file_last_modified = &ntusrmap_file_last_modified;
505 initialised = &initialised_ntusr;
506 map_file = ntusrname_map_file;
507 map_list = &ntusrname_map_list;
508
509 break;
510 }
511 }
512
513 if (!(*initialised))
514 {
515 DEBUG(10,("initialising map %s\n", map_file));
516 ubi_slInitList(map_list);
517 (*initialised) = True;
518 }
519
520 if (!*map_file)
521 {
522 return map_list;
523 }
524
525 /*
526 * Load the file.
527 */
528
529 fp = open_file_if_modified(map_file, "r", file_last_modified);
530 if (!fp)
531 {
532 return map_list;
533 }
534
535 /*
536 * Throw away any previous list.
537 */
538 delete_map_list(map_list);
539
540 DEBUG(4,("load_name_map: Scanning name map %s\n",map_file));
541
542 while ((s = fgets_slash(buf, sizeof(buf), fp)) != NULL)
543 {
544 pstring unixname;
545 pstring nt_name;
546 fstring nt_domain;
547 fstring ntname;
548 char *p;
549
550 DEBUG(10,("Read line |%s|\n", s));
551
552 memset(nt_name, 0, sizeof(nt_name));
553
554 if (!*s || strchr("#;",*s))
555 continue;
556
557 if (!next_token(&s,unixname, "\t\n\r=", sizeof(unixname)))
558 continue;
559
560 if (!next_token(&s,nt_name, "\t\n\r=", sizeof(nt_name)))
561 continue;
562
563 trim_string(unixname, " ", " ");
564 trim_string(nt_name, " ", " ");
565
566 if (!*nt_name)
567 continue;
568
569 if (!*unixname)
570 continue;
571
572 p = strchr(nt_name, '\\');
573
574 if (p == NULL)
575 {
576 memset(nt_domain, 0, sizeof(nt_domain));
577 fstrcpy(ntname, nt_name);
578 }
579 else
580 {
581 *p = 0;
582 p++;
583 fstrcpy(nt_domain, nt_name);
584 fstrcpy(ntname , p);
585 }
586
587 if (make_name_entry(&new_ep, nt_domain, ntname, unixname, type))
588 {
589 ubi_slAddTail(map_list, (ubi_slNode *)new_ep);
590 DEBUG(5,("unixname = %s, ntname = %s\\%s type = %d\n",
591 new_ep->grp.unix_name,
592 new_ep->grp.nt_domain,
593 new_ep->grp.nt_name,
594 new_ep->grp.type));
595 }
596 }
597
598 DEBUG(10,("load_name_map: Added %ld entries to name map.\n",
599 ubi_slCount(map_list)));
600
601 fclose(fp);
602
603 return map_list;
604 }
605
606 static void copy_grp_map_entry(DOM_NAME_MAP *grp, const DOM_NAME_MAP *from)
607 {
608 sid_copy(&grp->sid, &from->sid);
609 grp->unix_id = from->unix_id;
610 grp->nt_name = from->nt_name;
611 grp->nt_domain = from->nt_domain;
612 grp->unix_name = from->unix_name;
613 grp->type = from->type;
614 }
615
616 #if 0
617 /***********************************************************
618 Lookup unix name.
619 ************************************************************/
620 static BOOL map_unixname(DOM_MAP_TYPE type,
621 char *unixname, DOM_NAME_MAP *grp_info)
622 {
623 name_map_entry *gmep;
624 ubi_slList *map_list;
625
626 /*
627 * Initialise and load if not already loaded.
628 */
629 map_list = load_name_map(type);
630
631 for (gmep = (name_map_entry *)ubi_slFirst(map_list);
632 gmep != NULL;
633 gmep = (name_map_entry *)ubi_slNext(gmep ))
634 {
635 if (strequal(gmep->grp.unix_name, unixname))
636 {
637 copy_grp_map_entry(grp_info, &gmep->grp);
638 DEBUG(7,("map_unixname: Mapping unix name %s to nt group %s.\n",
639 gmep->grp.unix_name, gmep->grp.nt_name ));
640 return True;
641 }
642 }
643
644 return False;
645 }
646
647 #endif
648
649 /***********************************************************
650 Lookup nt name.
651 ************************************************************/
652 static BOOL map_ntname(DOM_MAP_TYPE type, char *ntname, char *ntdomain,
653 DOM_NAME_MAP *grp_info)
654 {
655 name_map_entry *gmep;
656 ubi_slList *map_list;
657
658 /*
659 * Initialise and load if not already loaded.
660 */
661 map_list = load_name_map(type);
662
663 for (gmep = (name_map_entry *)ubi_slFirst(map_list);
664 gmep != NULL;
665 gmep = (name_map_entry *)ubi_slNext(gmep ))
666 {
667 if (strequal(gmep->grp.nt_name , ntname) &&
668 strequal(gmep->grp.nt_domain, ntdomain))
669 {
670 copy_grp_map_entry(grp_info, &gmep->grp);
671 DEBUG(7,("map_ntname: Mapping unix name %s to nt name %s.\n",
672 gmep->grp.unix_name, gmep->grp.nt_name ));
673 return True;
674 }
675 }
676
677 return False;
678 }
679
680
681 /***********************************************************
682 Lookup by SID
683 ************************************************************/
684 static BOOL map_sid(DOM_MAP_TYPE type,
685 DOM_SID *psid, DOM_NAME_MAP *grp_info)
686 {
687 name_map_entry *gmep;
688 ubi_slList *map_list;
689
690 /*
691 * Initialise and load if not already loaded.
692 */
693 map_list = load_name_map(type);
694
695 for (gmep = (name_map_entry *)ubi_slFirst(map_list);
696 gmep != NULL;
697 gmep = (name_map_entry *)ubi_slNext(gmep ))
698 {
699 if (sid_equal(&gmep->grp.sid, psid))
700 {
701 copy_grp_map_entry(grp_info, &gmep->grp);
702 DEBUG(7,("map_sid: Mapping unix name %s to nt name %s.\n",
703 gmep->grp.unix_name, gmep->grp.nt_name ));
704 return True;
705 }
706 }
707
708 return False;
709 }
710
711 /***********************************************************
712 Lookup by gid_t.
713 ************************************************************/
714 static BOOL map_unixid(DOM_MAP_TYPE type, uint32 unix_id, DOM_NAME_MAP *grp_info)
715 {
716 name_map_entry *gmep;
717 ubi_slList *map_list;
718
719 /*
720 * Initialise and load if not already loaded.
721 */
722 map_list = load_name_map(type);
723
724 for (gmep = (name_map_entry *)ubi_slFirst(map_list);
725 gmep != NULL;
726 gmep = (name_map_entry *)ubi_slNext(gmep ))
727 {
728 fstring sid_str;
729 sid_to_string(sid_str, &gmep->grp.sid);
730 DEBUG(10,("map_unixid: enum entry unix group %s %d nt %s %s\n",
731 gmep->grp.unix_name, gmep->grp.unix_id, gmep->grp.nt_name, sid_str));
732 if (gmep->grp.unix_id == unix_id)
733 {
734 copy_grp_map_entry(grp_info, &gmep->grp);
735 DEBUG(7,("map_unixid: Mapping unix name %s to nt name %s type %d\n",
736 gmep->grp.unix_name, gmep->grp.nt_name, gmep->grp.type));
737 return True;
738 }
739 }
740
741 return False;
742 }
743
744 /***********************************************************
745 *
746 * Call four functions to resolve unix group ids and either
747 * local group SIDs or domain group SIDs listed in the local group
748 * or domain group map files.
749 *
750 * Note that it is *NOT* the responsibility of these functions to
751 * resolve entries that are not in the map files.
752 *
753 * Any SID can be in the map files (i.e from any Domain).
754 *
755 ***********************************************************/
756
757 #if 0
758
759 /***********************************************************
760 Lookup a UNIX Group entry by name.
761 ************************************************************/
762 BOOL map_unix_group_name(char *group_name, DOM_NAME_MAP *grp_info)
763 {
764 return map_unixname(DOM_MAP_DOMAIN, group_name, grp_info);
765 }
766
767 /***********************************************************
768 Lookup a UNIX Alias entry by name.
769 ************************************************************/
770 BOOL map_unix_alias_name(char *alias_name, DOM_NAME_MAP *grp_info)
771 {
772 return map_unixname(DOM_MAP_LOCAL, alias_name, grp_info);
773 }
774
775 /***********************************************************
776 Lookup an Alias name entry
777 ************************************************************/
778 BOOL map_nt_alias_name(char *ntalias_name, char *nt_domain, DOM_NAME_MAP *grp_info)
779 {
780 return map_ntname(DOM_MAP_LOCAL, ntalias_name, nt_domain, grp_info);
781 }
782
783 /***********************************************************
784 Lookup a Group entry
785 ************************************************************/
786 BOOL map_nt_group_name(char *ntgroup_name, char *nt_domain, DOM_NAME_MAP *grp_info)
787 {
788 return map_ntname(DOM_MAP_DOMAIN, ntgroup_name, nt_domain, grp_info);
789 }
790
791 #endif
792
793 /***********************************************************
794 Lookup a Username entry by name.
795 ************************************************************/
796 static BOOL map_nt_username(char *nt_name, char *nt_domain, DOM_NAME_MAP *grp_info)
797 {
798 return map_ntname(DOM_MAP_USER, nt_name, nt_domain, grp_info);
799 }
800
801 /***********************************************************
802 Lookup a Username entry by SID.
803 ************************************************************/
804 static BOOL map_username_sid(DOM_SID *sid, DOM_NAME_MAP *grp_info)
805 {
806 return map_sid(DOM_MAP_USER, sid, grp_info);
807 }
808
809 /***********************************************************
810 Lookup a Username SID entry by uid.
811 ************************************************************/
812 static BOOL map_username_uid(uid_t gid, DOM_NAME_MAP *grp_info)
813 {
814 return map_unixid(DOM_MAP_USER, (uint32)gid, grp_info);
815 }
816
817 /***********************************************************
818 Lookup an Alias SID entry by name.
819 ************************************************************/
820 BOOL map_alias_sid(DOM_SID *psid, DOM_NAME_MAP *grp_info)
821 {
822 return map_sid(DOM_MAP_LOCAL, psid, grp_info);
823 }
824
825 /***********************************************************
826 Lookup a Group entry by sid.
827 ************************************************************/
828 BOOL map_group_sid(DOM_SID *psid, DOM_NAME_MAP *grp_info)
829 {
830 return map_sid(DOM_MAP_DOMAIN, psid, grp_info);
831 }
832
833 /***********************************************************
834 Lookup an Alias SID entry by gid_t.
835 ************************************************************/
836 static BOOL map_alias_gid(gid_t gid, DOM_NAME_MAP *grp_info)
837 {
838 return map_unixid(DOM_MAP_LOCAL, (uint32)gid, grp_info);
839 }
840
841 /***********************************************************
842 Lookup a Group SID entry by gid_t.
843 ************************************************************/
844 static BOOL map_group_gid( gid_t gid, DOM_NAME_MAP *grp_info)
845 {
846 return map_unixid(DOM_MAP_DOMAIN, (uint32)gid, grp_info);
847 }
848
849
850 /************************************************************************
851 Routine to look up User details by UNIX name
852 *************************************************************************/
853 BOOL lookupsmbpwnam(const char *unix_usr_name, DOM_NAME_MAP *grp)
854 {
855 uid_t uid;
856 DEBUG(10,("lookupsmbpwnam: unix user name %s\n", unix_usr_name));
857 if (nametouid(unix_usr_name, &uid))
858 {
859 return lookupsmbpwuid(uid, grp);
860 }
861 else
862 {
863 return False;
864 }
865 }
866
867 /************************************************************************
868 Routine to look up a remote nt name
869 *************************************************************************/
870 static BOOL lookup_remote_ntname(const char *ntname, DOM_SID *sid, uint8 *type)
871 {
872 struct cli_state cli;
873 POLICY_HND lsa_pol;
874 fstring srv_name;
875 extern struct ntuser_creds *usr_creds;
876 struct ntuser_creds usr;
877
878 BOOL res3 = True;
879 BOOL res4 = True;
880 uint32 num_sids;
881 DOM_SID *sids;
882 uint8 *types;
883 char *names[1];
884
885 usr_creds = &usr;
886
887 ZERO_STRUCT(usr);
888 pwd_set_nullpwd(&usr.pwd);
889
890 DEBUG(5,("lookup_remote_ntname: %s\n", ntname));
891
892 if (!cli_connect_serverlist(&cli, lp_passwordserver()))
893 {
894 return False;
895 }
896
897 names[0] = ntname;
898
899 fstrcpy(srv_name, "\\\\");
900 fstrcat(srv_name, cli.desthost);
901 strupper(srv_name);
902
903 /* lookup domain controller; receive a policy handle */
904 res3 = res3 ? lsa_open_policy( srv_name,
905 &lsa_pol, True) : False;
906
907 /* send lsa lookup sids call */
908 res4 = res3 ? lsa_lookup_names( &lsa_pol,
909 1, names,
910 &sids, &types, &num_sids) : False;
911
912 res3 = res3 ? lsa_close(&lsa_pol) : False;
913
914 if (res4 && res3 && sids != NULL && types != NULL)
915 {
916 sid_copy(sid, &sids[0]);
917 *type = types[0];
918 }
919 else
920 {
921 res3 = False;
922 }
923 SAFE_FREE(types);
924 SAFE_FREE(sids);
925
926 return res3 && res4;
927 }
928
929 /************************************************************************
930 Routine to look up a remote nt name
931 *************************************************************************/
932 static BOOL get_sid_and_type(const char *fullntname, uint8 expected_type,
933 DOM_NAME_MAP *gmep)
934 {
935 /*
936 * check with the PDC to see if it owns the name. if so,
937 * the SID is resolved with the PDC database.
938 */
939
940 if (lp_server_role() == ROLE_DOMAIN_MEMBER)
941 {
942 if (lookup_remote_ntname(fullntname, &gmep->sid, &gmep->type))
943 {
944 if (sid_front_equal(&gmep->sid, &global_member_sid) &&
945 strequal(gmep->nt_domain, global_myworkgroup) &&
946 gmep->type == expected_type)
947 {
948 return True;
949 }
950 return False;
951 }
952 }
953
954 /*
955 * ... otherwise, it's one of ours. map the sid ourselves,
956 * which can only happen in our own SAM database.
957 */
958
959 if (!strequal(gmep->nt_domain, global_sam_name))
960 {
961 return False;
962 }
963 if (!pwdb_unixid_to_sam_sid(gmep->unix_id, gmep->type, &gmep->sid))
964 {
965 return False;
966 }
967
968 return True;
969 }
970
971 /*
972 * used by lookup functions below
973 */
974
975 static fstring nt_name;
976 static fstring unix_name;
977 static fstring nt_domain;
978
979 /*************************************************************************
980 looks up a uid, returns User Information.
981 *************************************************************************/
982 BOOL lookupsmbpwuid(uid_t uid, DOM_NAME_MAP *gmep)
983 {
984 DEBUG(10,("lookupsmbpwuid: unix uid %d\n", uid));
985 if (map_username_uid(uid, gmep))
986 {
987 return True;
988 }
989 #if 0
990 if (lp_server_role() != ROLE_DOMAIN_NONE)
991 #endif
992 {
993 gmep->nt_name = nt_name;
994 gmep->unix_name = unix_name;
995 gmep->nt_domain = nt_domain;
996
997 gmep->unix_id = (uint32)uid;
998
999 /*
1000 * ok, assume it's one of ours. then double-check it
1001 * if we are a member of a domain
1002 */
1003
1004 gmep->type = SID_NAME_USER;
1005 fstrcpy(gmep->nt_name, uidtoname(uid));
1006 fstrcpy(gmep->unix_name, gmep->nt_name);
1007
1008 /*
1009 * here we should do a LsaLookupNames() call
1010 * to check the status of the name with the PDC.
1011 * if the PDC know nothing of the name, it's ours.
1012 */
1013
1014 if (lp_server_role() == ROLE_DOMAIN_MEMBER)
1015 {
1016 #if 0
1017 lsa_lookup_names(global_myworkgroup, gmep->nt_name, &gmep->sid...);
1018 #endif
1019 }
1020
1021 /*
1022 * ok, it's one of ours.
1023 */
1024
1025 gmep->nt_domain = global_sam_name;
1026 pwdb_unixid_to_sam_sid(gmep->unix_id, gmep->type, &gmep->sid);
1027
1028 return True;
1029 }
1030
1031 /* oops. */
1032
1033 return False;
1034 }
1035
1036 /*************************************************************************
1037 looks up by NT name, returns User Information.
1038 *************************************************************************/
1039 BOOL lookupsmbpwntnam(const char *fullntname, DOM_NAME_MAP *gmep)
1040 {
1041 DEBUG(10,("lookupsmbpwntnam: nt user name %s\n", fullntname));
1042
1043 if (!split_domain_name(fullntname, nt_domain, nt_name))
1044 {
1045 return False;
1046 }
1047
1048 if (map_nt_username(nt_name, nt_domain, gmep))
1049 {
1050 return True;
1051 }
1052 if (lp_server_role() != ROLE_DOMAIN_NONE)
1053 {
1054 uid_t uid;
1055 gmep->nt_name = nt_name;
1056 gmep->unix_name = unix_name;
1057 gmep->nt_domain = nt_domain;
1058
1059 /*
1060 * ok, it's one of ours. we therefore "create" an nt user named
1061 * after the unix user. this is the point where "appliance mode"
1062 * should get its teeth in, as unix users won't really exist,
1063 * they will only be numbers...
1064 */
1065
1066 gmep->type = SID_NAME_USER;
1067 fstrcpy(gmep->unix_name, gmep->nt_name);
1068 if (!nametouid(gmep->unix_name, &uid))
1069 {
1070 return False;
1071 }
1072 gmep->unix_id = (uint32)uid;
1073
1074 return get_sid_and_type(fullntname, gmep->type, gmep);
1075 }
1076
1077 /* oops. */
1078
1079 return False;
1080 }
1081
1082 /*************************************************************************
1083 looks up by RID, returns User Information.
1084 *************************************************************************/
1085 BOOL lookupsmbpwsid(DOM_SID *sid, DOM_NAME_MAP *gmep)
1086 {
1087 fstring sid_str;
1088 sid_to_string(sid_str, sid);
1089 DEBUG(10,("lookupsmbpwsid: nt sid %s\n", sid_str));
1090
1091 if (map_username_sid(sid, gmep))
1092 {
1093 return True;
1094 }
1095 if (lp_server_role() != ROLE_DOMAIN_NONE)
1096 {
1097 gmep->nt_name = nt_name;
1098 gmep->unix_name = unix_name;
1099 gmep->nt_domain = nt_domain;
1100
1101 /*
1102 * here we should do a LsaLookupNames() call
1103 * to check the status of the name with the PDC.
1104 * if the PDC know nothing of the name, it's ours.
1105 */
1106
1107 if (lp_server_role() == ROLE_DOMAIN_MEMBER)
1108 {
1109 #if 0
1110 if (lookup_remote_sid(global_myworkgroup, gmep->sid, gmep->nt_name, gmep->nt_domain...);
1111 #endif
1112 }
1113
1114 /*
1115 * ok, it's one of ours. we therefore "create" an nt user named
1116 * after the unix user. this is the point where "appliance mode"
1117 * should get its teeth in, as unix users won't really exist,
1118 * they will only be numbers...
1119 */
1120
1121 gmep->type = SID_NAME_USER;
1122 sid_copy(&gmep->sid, sid);
1123 if (!pwdb_sam_sid_to_unixid(&gmep->sid, gmep->type, &gmep->unix_id))
1124 {
1125 return False;
1126 }
1127 fstrcpy(gmep->nt_name, uidtoname((uid_t)gmep->unix_id));
1128 fstrcpy(gmep->unix_name, gmep->nt_name);
1129 gmep->nt_domain = global_sam_name;
1130
1131 return True;
1132 }
1133
1134 /* oops. */
1135
1136 return False;
1137 }
1138
1139 /************************************************************************
1140 Routine to look up group / alias / well-known group RID by UNIX name
1141 *************************************************************************/
1142 BOOL lookupsmbgrpnam(const char *unix_grp_name, DOM_NAME_MAP *grp)
1143 {
1144 gid_t gid;
1145 DEBUG(10,("lookupsmbgrpnam: unix user group %s\n", unix_grp_name));
1146 if (nametogid(unix_grp_name, &gid))
1147 {
1148 return lookupsmbgrpgid(gid, grp);
1149 }
1150 else
1151 {
1152 return False;
1153 }
1154 }
1155
1156 /*************************************************************************
1157 looks up a SID, returns name map entry
1158 *************************************************************************/
1159 BOOL lookupsmbgrpsid(DOM_SID *sid, DOM_NAME_MAP *gmep)
1160 {
1161 fstring sid_str;
1162 sid_to_string(sid_str, sid);
1163 DEBUG(10,("lookupsmbgrpsid: nt sid %s\n", sid_str));
1164
1165 if (map_alias_sid(sid, gmep))
1166 {
1167 return True;
1168 }
1169 if (map_group_sid(sid, gmep))
1170 {
1171 return True;
1172 }
1173 if (lp_server_role() != ROLE_DOMAIN_NONE)
1174 {
1175 gmep->nt_name = nt_name;
1176 gmep->unix_name = unix_name;
1177 gmep->nt_domain = nt_domain;
1178
1179 /*
1180 * here we should do a LsaLookupNames() call
1181 * to check the status of the name with the PDC.
1182 * if the PDC know nothing of the name, it's ours.
1183 */
1184
1185 if (lp_server_role() == ROLE_DOMAIN_MEMBER)
1186 {
1187 #if 0
1188 lsa_lookup_sids(global_myworkgroup, gmep->sid, gmep->nt_name, gmep->nt_domain...);
1189 #endif
1190 }
1191
1192 /*
1193 * ok, it's one of ours. we therefore "create" an nt group or
1194 * alias name named after the unix group. this is the point
1195 * where "appliance mode" should get its teeth in, as unix
1196 * groups won't really exist, they will only be numbers...
1197 */
1198
1199 /* name is not explicitly mapped
1200 * with map files or the PDC
1201 * so we are responsible for it...
1202 */
1203
1204 if (lp_server_role() == ROLE_DOMAIN_MEMBER)
1205 {
1206 /* ... as a LOCAL group. */
1207 gmep->type = SID_NAME_ALIAS;
1208 }
1209 else
1210 {
1211 /* ... as a DOMAIN group. */
1212 gmep->type = SID_NAME_DOM_GRP;
1213 }
1214
1215 sid_copy(&gmep->sid, sid);
1216 if (!pwdb_sam_sid_to_unixid(&gmep->sid, gmep->type, &gmep->unix_id))
1217 {
1218 return False;
1219 }
1220 fstrcpy(gmep->nt_name, gidtoname((gid_t)gmep->unix_id));
1221 fstrcpy(gmep->unix_name, gmep->nt_name);
1222 gmep->nt_domain = global_sam_name;
1223
1224 return True;
1225 }
1226
1227 /* oops */
1228 return False;
1229 }
1230
1231 /*************************************************************************
1232 looks up a gid, returns RID and type local, domain or well-known domain group
1233 *************************************************************************/
1234 BOOL lookupsmbgrpgid(gid_t gid, DOM_NAME_MAP *gmep)
1235 {
1236 DEBUG(10,("lookupsmbgrpgid: unix gid %d\n", (int)gid));
1237 if (map_alias_gid(gid, gmep))
1238 {
1239 return True;
1240 }
1241 if (map_group_gid(gid, gmep))
1242 {
1243 return True;
1244 }
1245 if (lp_server_role() != ROLE_DOMAIN_NONE)
1246 {
1247 gmep->nt_name = nt_name;
1248 gmep->unix_name = unix_name;
1249 gmep->nt_domain = nt_domain;
1250
1251 gmep->unix_id = (uint32)gid;
1252
1253 /*
1254 * here we should do a LsaLookupNames() call
1255 * to check the status of the name with the PDC.
1256 * if the PDC know nothing of the name, it's ours.
1257 */
1258
1259 if (lp_server_role() == ROLE_DOMAIN_MEMBER)
1260 {
1261 #if 0
1262 if (lsa_lookup_names(global_myworkgroup, gmep->nt_name, &gmep->sid...);
1263 {
1264 return True;
1265 }
1266 #endif
1267 }
1268
1269 /*
1270 * ok, it's one of ours. we therefore "create" an nt group or
1271 * alias name named after the unix group. this is the point
1272 * where "appliance mode" should get its teeth in, as unix
1273 * groups won't really exist, they will only be numbers...
1274 */
1275
1276 /* name is not explicitly mapped
1277 * with map files or the PDC
1278 * so we are responsible for it...
1279 */
1280
1281 if (lp_server_role() == ROLE_DOMAIN_MEMBER)
1282 {
1283 /* ... as a LOCAL group. */
1284 gmep->type = SID_NAME_ALIAS;
1285 }
1286 else
1287 {
1288 /* ... as a DOMAIN group. */
1289 gmep->type = SID_NAME_DOM_GRP;
1290 }
1291 fstrcpy(gmep->nt_name, gidtoname(gid));
1292 fstrcpy(gmep->unix_name, gmep->nt_name);
1293
1294 return get_sid_and_type(gmep->nt_name, gmep->type, gmep);
1295 }
1296
1297 /* oops */
1298 return False;
1299 }
1300
Samba GIT mirror