source3/winbindd/wb_getgrsid.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    async getgrsid
   4    Copyright (C) Volker Lendecke 2009
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "winbindd.h"
  22 #include "librpc/gen_ndr/ndr_wbint_c.h"
  23 #include "../libcli/security/security.h"
  24
  25 struct wb_getgrsid_state {
  26         struct tevent_context *ev;
  27         struct dom_sid sid;
  28         int max_nesting;
  29         const char *domname;
  30         const char *name;
  31         enum lsa_SidType type;
  32         gid_t gid;
  33         struct talloc_dict *members;
  34 };
  35
  36 static void wb_getgrsid_lookupsid_done(struct tevent_req *subreq);
  37 static void wb_getgrsid_sid2gid_done(struct tevent_req *subreq);
  38 static void wb_getgrsid_got_members(struct tevent_req *subreq);
  39
  40 struct tevent_req *wb_getgrsid_send(TALLOC_CTX *mem_ctx,
  41                                     struct tevent_context *ev,
  42                                     const struct dom_sid *group_sid,
  43                                     int max_nesting)
  44 {
  45         struct tevent_req *req, *subreq;
  46         struct wb_getgrsid_state *state;
  47
  48         req = tevent_req_create(mem_ctx, &state, struct wb_getgrsid_state);
  49         if (req == NULL) {
  50                 return NULL;
  51         }
  52         sid_copy(&state->sid, group_sid);
  53         state->ev = ev;
  54         state->max_nesting = max_nesting;
  55
  56         if (lp_winbind_trusted_domains_only()) {
  57                 struct winbindd_domain *our_domain = find_our_domain();
  58
  59                 if (dom_sid_compare_domain(group_sid, &our_domain->sid) == 0) {
  60                         DEBUG(7, ("winbindd_getgrsid: My domain -- rejecting "
  61                                   "getgrsid() for %s\n", sid_string_tos(group_sid)));
  62                         tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
  63                         return tevent_req_post(req, ev);
  64                 }
  65         }
  66
  67         subreq = wb_lookupsid_send(state, ev, &state->sid);
  68         if (tevent_req_nomem(subreq, req)) {
  69                 return tevent_req_post(req, ev);
  70         }
  71         tevent_req_set_callback(subreq, wb_getgrsid_lookupsid_done, req);
  72         return req;
  73 }
  74
  75 static void wb_getgrsid_lookupsid_done(struct tevent_req *subreq)
  76 {
  77         struct tevent_req *req = tevent_req_callback_data(
  78                 subreq, struct tevent_req);
  79         struct wb_getgrsid_state *state = tevent_req_data(
  80                 req, struct wb_getgrsid_state);
  81         NTSTATUS status;
  82
  83         status = wb_lookupsid_recv(subreq, state, &state->type,
  84                                    &state->domname, &state->name);
  85         TALLOC_FREE(subreq);
  86         if (tevent_req_nterror(req, status)) {
  87                 return;
  88         }
  89
  90         switch (state->type) {
  91         case SID_NAME_DOM_GRP:
  92         case SID_NAME_ALIAS:
  93         case SID_NAME_WKN_GRP:
  94         /*
  95          * also treat user-type SIDS (they might map to ID_TYPE_BOTH)
  96          */
  97         case SID_NAME_USER:
  98         case SID_NAME_COMPUTER:
  99                 break;
 100         default:
 101                 tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
 102                 return;
 103         }
 104
 105         subreq = wb_sids2xids_send(state, state->ev, &state->sid, 1);
 106         if (tevent_req_nomem(subreq, req)) {
 107                 return;
 108         }
 109         tevent_req_set_callback(subreq, wb_getgrsid_sid2gid_done, req);
 110 }
 111
 112 static void wb_getgrsid_sid2gid_done(struct tevent_req *subreq)
 113 {
 114         struct tevent_req *req = tevent_req_callback_data(
 115                 subreq, struct tevent_req);
 116         struct wb_getgrsid_state *state = tevent_req_data(
 117                 req, struct wb_getgrsid_state);
 118         NTSTATUS status;
 119         struct unixid xid;
 120
 121         status = wb_sids2xids_recv(subreq, &xid);
 122         TALLOC_FREE(subreq);
 123         if (tevent_req_nterror(req, status)) {
 124                 return;
 125         }
 126
 127         /*
 128          * We are filtering further down in sids2xids, but that filtering
 129          * depends on the actual type of the sid handed in (as determined
 130          * by lookupsids). Here we need to filter for the type of object
 131          * actually requested, in this case uid.
 132          */
 133         if (!(xid.type == ID_TYPE_GID || xid.type == ID_TYPE_BOTH)) {
 134                 tevent_req_nterror(req, NT_STATUS_NONE_MAPPED);
 135                 return;
 136         }
 137
 138         state->gid = (gid_t)xid.id;
 139
 140         if (state->type == SID_NAME_USER || state->type == SID_NAME_COMPUTER) {
 141                 /*
 142                  * special treatment for a user sid that is
 143                  * mapped to ID_TYPE_BOTH:
 144                  * create a group with the sid/xid as only member
 145                  */
 146                 const char *name;
 147
 148                 if (xid.type != ID_TYPE_BOTH) {
 149                         tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
 150                         return;
 151                 }
 152
 153                 state->members = talloc_dict_init(state);
 154                 if (tevent_req_nomem(state->members, req)) {
 155                         return;
 156                 }
 157
 158                 name = fill_domain_username_talloc(talloc_tos(),
 159                                                    state->domname,
 160                                                    state->name,
 161                                                    true /* can_assume */);
 162                 if (tevent_req_nomem(name, req)) {
 163                         return;
 164                 }
 165
 166                 status = add_wbint_Principal_to_dict(talloc_tos(),
 167                                                      &state->sid,
 168                                                      &name,
 169                                                      state->type,
 170                                                      state->members);
 171                 if (!NT_STATUS_IS_OK(status)) {
 172                         tevent_req_nterror(req, status);
 173                         return;
 174                 }
 175
 176                 tevent_req_done(req);
 177                 return;
 178         }
 179
 180         /*
 181          * the "regular" case of a group type sid.
 182          */
 183
 184         subreq = wb_group_members_send(state, state->ev, &state->sid,
 185                                        state->type, state->max_nesting);
 186         if (tevent_req_nomem(subreq, req)) {
 187                 return;
 188         }
 189         tevent_req_set_callback(subreq, wb_getgrsid_got_members, req);
 190 }
 191
 192 static void wb_getgrsid_got_members(struct tevent_req *subreq)
 193 {
 194         struct tevent_req *req = tevent_req_callback_data(
 195                 subreq, struct tevent_req);
 196         struct wb_getgrsid_state *state = tevent_req_data(
 197                 req, struct wb_getgrsid_state);
 198         NTSTATUS status;
 199
 200         status = wb_group_members_recv(subreq, state, &state->members);
 201         TALLOC_FREE(subreq);
 202         if (tevent_req_nterror(req, status)) {
 203                 return;
 204         }
 205         tevent_req_done(req);
 206 }
 207
 208 NTSTATUS wb_getgrsid_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
 209                           const char **domname, const char **name, gid_t *gid,
 210                           struct talloc_dict **members)
 211 {
 212         struct wb_getgrsid_state *state = tevent_req_data(
 213                 req, struct wb_getgrsid_state);
 214         NTSTATUS status;
 215
 216         if (tevent_req_is_nterror(req, &status)) {
 217                 return status;
 218         }
 219         *domname = talloc_move(mem_ctx, &state->domname);
 220         *name = talloc_move(mem_ctx, &state->name);
 221         *gid = state->gid;
 222         *members = talloc_move(mem_ctx, &state->members);
 223         return NT_STATUS_OK;
 224 }