search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix for CR 2230; don't throw away domain local groups
[Samba.git] / source / lib / username.c
blob4f7560e4fa624f76aa30ecfed914a96977cf8de8
1 /*
2 Unix SMB/Netbios implementation.
3 Version 1.9.
4 Username handling
5 Copyright (C) Andrew Tridgell 1992-1998
6 Copyright (C) Jeremy Allison 1997-2001.
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24
25 /* internal functions */
26 static struct passwd *uname_string_combinations(char *s, struct passwd * (*fn) (char *), int N);
27 static struct passwd *uname_string_combinations2(char *s, int offset, struct passwd * (*fn) (char *), int N);
28
29 /*****************************************************************
30 Check if a user or group name is local (this is a *local* name for
31 *local* people, there's nothing for you here...).
32 *****************************************************************/
33
34 BOOL name_is_local(const char *name)
35 {
36 return !strchr(name, *lp_winbind_separator());
37 }
38
39 /****************************************************************************
40 Get a users home directory.
41 ****************************************************************************/
42
43 char *get_user_home_dir(char *user)
44 {
45 static struct passwd *pass;
46
47 pass = Get_Pwnam(user, False);
48 if (!pass)
49 return(NULL);
50 /* Return home directory from struct passwd. */
51 return(pass->pw_dir);
52 }
53
54 /****************************************************************************
55 Get a users home service directory. Returns in dos codepage.
56 ****************************************************************************/
57
58 char *get_user_service_home_dir(char *user)
59 {
60 static struct passwd *pass;
61 int snum;
62
63 /* Ensure the user exists. */
64
65 pass = Get_Pwnam(user, False);
66 if (!pass)
67 return(NULL);
68
69 /* If a path is specified in [homes] then use it instead of the
70 user's home directory from struct passwd. */
71
72 if ((snum = lp_servicenumber_unix(HOMES_NAME)) != -1) {
73 static pstring home_dir;
74
75 pstrcpy(home_dir, lp_pathname_unix(snum));
76 standard_sub_home(snum, user, home_dir, sizeof(home_dir));
77
78 if (home_dir[0]) {
79 unix_to_dos(home_dir);
80 return home_dir;
81 }
82 }
83
84 /* Return home directory from struct passwd. */
85
86 return(unix_to_dos(pass->pw_dir));
87 }
88
89 /*******************************************************************
90 Map a username from a dos name to a unix name by looking in the username
91 map. Note that this modifies the name in place.
92 This is the main function that should be called *once* on
93 any incoming or new username - in order to canonicalize the name.
94 This is being done to de-couple the case conversions from the user mapping
95 function. Previously, the map_username was being called
96 every time Get_Pwnam was called.
97 Returns True if username was changed, false otherwise.
98 ********************************************************************/
99
100 BOOL map_username(char *user)
101 {
102 static BOOL initialised=False;
103 static fstring last_from,last_to;
104 XFILE *f;
105 char *mapfile = lp_username_map();
106 char *s;
107 pstring buf;
108 BOOL mapped_user = False;
109
110 if (!*user)
111 return False;
112
113 if (!*mapfile)
114 return False;
115
116 if (!initialised) {
117 *last_from = *last_to = 0;
118 initialised = True;
119 }
120
121 if (strequal_unix(user,last_to))
122 return False;
123
124 if (strequal_unix(user,last_from)) {
125 DEBUG(3,("Mapped user %s to %s\n",user,last_to));
126 fstrcpy(user,last_to);
127 return True;
128 }
129
130 f = x_fopen(mapfile,O_RDONLY, 0);
131 if (!f) {
132 DEBUG(0,("can't open username map %s. Error %s\n",mapfile, strerror(errno) ));
133 return False;
134 }
135
136 DEBUG(4,("Scanning username map %s\n",mapfile));
137
138 while((s=fgets_slash(buf,sizeof(buf),f))!=NULL) {
139 char *unixname = s;
140 char *dosname = strchr(unixname,'=');
141 BOOL return_if_mapped = False;
142
143 if (!dosname)
144 continue;
145
146 *dosname++ = 0;
147
148 while (isspace((int)*unixname))
149 unixname++;
150 if ('!' == *unixname) {
151 return_if_mapped = True;
152 unixname++;
153
154 while (*unixname && isspace((int)*unixname))
155 unixname++;
156 }
157
158 if (!*unixname || strchr("#;",*unixname))
159 continue;
160
161 {
162 int l = strlen(unixname);
163 while (l && isspace((int)unixname[l-1])) {
164 unixname[l-1] = 0;
165 l--;
166 }
167 }
168
169 if (strchr(dosname,'*') || user_in_list(user,dosname)) {
170 DEBUG(3,("Mapped user %s to %s\n",user,unixname));
171 mapped_user = True;
172 fstrcpy(last_from,user);
173 sscanf(unixname,"%s",user);
174 fstrcpy(last_to,user);
175 if(return_if_mapped) {
176 x_fclose(f);
177 return True;
178 }
179 }
180 }
181
182 x_fclose(f);
183
184 /*
185 * Setup the last_from and last_to as an optimization so
186 * that we don't scan the file again for the same user.
187 */
188 fstrcpy(last_from,user);
189 fstrcpy(last_to,user);
190
191 return mapped_user;
192 }
193
194 /****************************************************************************
195 Get_Pwnam wrapper.
196 ****************************************************************************/
197
198 static struct passwd *_Get_Pwnam(char *s)
199 {
200 struct passwd *ret;
201
202 ret = sys_getpwnam(s);
203 if (ret) {
204 #ifdef HAVE_GETPWANAM
205 struct passwd_adjunct *pwret;
206 pwret = getpwanam(s);
207 if (pwret && pwret->pwa_passwd)
208 pstrcpy(ret->pw_passwd,pwret->pwa_passwd);
209 #endif
210 }
211
212 return(ret);
213 }
214
215 /****************************************************************************
216 A wrapper for getpwnam(). The following variations are tried...
217 - in all lower case
218 - as transmitted IF a different case
219 - in all upper case IF that is different from the transmitted username
220 - using the lp_usernamelevel() for permutations
221 Note that this can change user! The user name is in Unix code page.
222 ****************************************************************************/
223
224 struct passwd *Get_Pwnam(char *user,BOOL allow_change)
225 {
226 fstring user2, orig_username;
227 int usernamelevel = lp_usernamelevel();
228 struct passwd *ret;
229
230 if (!user || !(*user))
231 return(NULL);
232
233 /* make a few copies to work with */
234 fstrcpy(orig_username, user);
235 if (!allow_change) {
236 /* allow_change was False, so make a copy and temporarily
237 assign the char* user to the temp copy */
238 fstrcpy(user2,user);
239 user = &user2[0];
240 }
241
242 /* try in all lower case first as this is the most
243 common case on UNIX systems */
244 unix_to_dos(user);
245 strlower(user);
246 dos_to_unix(user);
247
248 ret = _Get_Pwnam(user);
249 if (ret)
250 return(ret);
251
252 /* try as transmitted, but only if the original username
253 gives us a different case */
254 if (strcmp(user, orig_username) != 0) {
255 ret = _Get_Pwnam(orig_username);
256 if (ret) {
257 if (allow_change)
258 fstrcpy(user, orig_username);
259
260 return(ret);
261 }
262 }
263
264 /* finally, try in all caps if that is a new case */
265 unix_to_dos(user);
266 strupper(user);
267 dos_to_unix(user);
268
269 if (strcmp(user, orig_username) != 0) {
270 ret = _Get_Pwnam(user);
271 if (ret)
272 return(ret);
273 }
274
275 /* Try all combinations up to usernamelevel. */
276 unix_to_dos(user);
277 strlower(user);
278 dos_to_unix(user);
279
280 ret = uname_string_combinations(user, _Get_Pwnam, usernamelevel);
281
282 if (ret)
283 return(ret);
284
285 return(NULL);
286 }
287
288 /****************************************************************************
289 Check if a user is in a netgroup user list.
290 ****************************************************************************/
291
292 static BOOL user_in_netgroup_list(char *user,char *ngname)
293 {
294 #ifdef HAVE_NETGROUP
295 static char *mydomain = NULL;
296 if (mydomain == NULL)
297 yp_get_default_domain(&mydomain);
298
299 if(mydomain == NULL) {
300 DEBUG(5,("Unable to get default yp domain\n"));
301 return False;
302 }
303
304 DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
305 user, mydomain, ngname));
306 DEBUG(5,("innetgr is %s\n", innetgr(ngname, NULL, user, mydomain)
307 ? "True" : "False"));
308
309 if (innetgr(ngname, NULL, user, mydomain))
310 return (True);
311 #endif /* HAVE_NETGROUP */
312 return False;
313 }
314
315 /****************************************************************************
316 Check if a user is in a winbind group.
317 ****************************************************************************/
318
319 static BOOL user_in_winbind_group_list(char *user,char *gname, BOOL *winbind_answered)
320 {
321 int i;
322 static gid_t *groups = NULL;
323 static int num_groups = 0;
324 static fstring last_user = "";
325 gid_t gid;
326 BOOL ret = False;
327
328 *winbind_answered = False;
329
330 /* try to user the last user we looked up */
331 /* otherwise fall back to lookups */
332
333 if ( !strequal_unix( last_user, user ) || !groups )
334 {
335 /* clear any cached information */
336
337 SAFE_FREE(groups);
338 fstrcpy( last_user, "" );
339
340 /*
341 * Get the gid's that this user belongs to.
342 */
343
344 if ((num_groups = winbind_getgroups2(user, &groups)) == -1)
345 return False;
346
347 if ( num_groups == -1 )
348 return False;
349
350 if ( num_groups == 0 ) {
351 *winbind_answered = True;
352 return False;
353 }
354
355 /* save the last username */
356
357 fstrcpy( last_user, user );
358
359 }
360 else
361 DEBUG(10,("user_in_winbind_group_list: using cached user groups for [%s]\n", user));
362
363 if ( DEBUGLEVEL >= 10 ) {
364 DEBUG(10,("user_in_winbind_group_list: using groups -- "));
365 for ( i=0; i<num_groups; i++ )
366 DEBUGADD(10,("%d ", groups[i]));
367 DEBUGADD(10,("\n"));
368 }
369
370 /*
371 * Now we have the gid list for this user - convert the gname
372 * to a gid_t via either winbind or the local UNIX lookup and do the comparison.
373 */
374
375 if ((gid = nametogid(gname)) == (gid_t)-1) {
376 DEBUG(0,("user_in_winbind_group_list: winbind_lookup_name for group %s failed.\n",
377 gname ));
378 goto err;
379 }
380
381 DEBUG(10, ("user_in_winbind_group_list: group %s [%d]\n", gname, gid ));
382
383 for (i = 0; i < num_groups; i++) {
384 if (gid == groups[i]) {
385 ret = True;
386 DEBUG(10,("user_in_winbind_group_list: user |%s| is in group |%s|\n",
387 user, gname ));
388 break;
389 }
390 }
391
392 *winbind_answered = True;
393 return ret;
394
395 err:
396 fstrcpy( last_user, "" );
397 SAFE_FREE(groups);
398 *winbind_answered = False;
399
400 return False;
401 }
402
403 /****************************************************************************
404 Check if a user is in a UNIX group.
405 Names are in UNIX character set format.
406 ****************************************************************************/
407
408 static BOOL user_in_unix_group_list(char *user,const char *gname)
409 {
410 struct passwd *pass = Get_Pwnam(user,False);
411 struct sys_userlist *user_list;
412 struct sys_userlist *member;
413
414 DEBUG(10,("user_in_unix_group_list: checking user %s in group %s\n", user, gname));
415
416 /*
417 * We need to check the users primary group as this
418 * group is implicit and often not listed in the group database.
419 */
420
421 if (pass) {
422 if (strequal_unix(gname, gidtoname(pass->pw_gid))) {
423 DEBUG(10,("user_in_unix_group_list: group %s is primary group.\n", gname ));
424 return True;
425 }
426 }
427
428 user_list = get_users_in_group(gname);
429 if (user_list == NULL) {
430 DEBUG(10,("user_in_unix_group_list: no such group %s\n", gname ));
431 return False;
432 }
433
434 for (member = user_list; member; member = member->next) {
435 DEBUG(10,("user_in_unix_group_list: checking user %s against member %s\n",
436 user, member->unix_name ));
437 if (strequal_unix(member->unix_name,user)) {
438 free_userlist(user_list);
439 DEBUG(10,("user_in_unix_group_list: user |%s| is in group |%s|\n", user, gname));
440 return(True);
441 }
442 }
443
444 free_userlist(user_list);
445 return False;
446 }
447
448 /****************************************************************************
449 Check if a user is in a group list. Ask winbind first, then use UNIX.
450 Names are in UNIX character set format.
451 ****************************************************************************/
452
453 BOOL user_in_group_list(char *user,char *gname)
454 {
455 BOOL winbind_answered = False;
456 BOOL ret;
457
458 ret = user_in_winbind_group_list(user, gname, &winbind_answered);
459 if (!winbind_answered)
460 ret = user_in_unix_group_list(user, gname);
461
462 if (ret)
463 DEBUG(10,("user_in_group_list: user |%s| is in group |%s|\n", user, gname));
464 return ret;
465 }
466
467 /****************************************************************************
468 Check if a user is in a user list - can check combinations of UNIX
469 and netgroup lists.
470 Names are in UNIX character set format.
471 ****************************************************************************/
472
473 BOOL user_in_list(char *user,char *list)
474 {
475 pstring tok;
476 char *p=list;
477
478 DEBUG(10,("user_in_list: checking user %s in list %s\n", user, list));
479
480 while (next_token(&p,tok,LIST_SEP, sizeof(tok))) {
481
482 DEBUG(10,("user_in_list: checking user |%s| against |%s|\n", user, tok));
483
484 /*
485 * Check raw username.
486 */
487 if (strequal_unix(user,tok)) {
488 DEBUG(10,("user_in_list: user |%s| matches |%s|\n", user, tok));
489 return(True);
490 }
491
492 /*
493 * Now check to see if any combination
494 * of UNIX and netgroups has been specified.
495 */
496
497 if(*tok == '@') {
498 /*
499 * Old behaviour. Check netgroup list
500 * followed by UNIX list.
501 */
502 if(user_in_netgroup_list(user,&tok[1]))
503 return True;
504 if(user_in_group_list(user,&tok[1]))
505 return True;
506 } else if (*tok == '+') {
507
508 if(tok[1] == '&') {
509 /*
510 * Search UNIX list followed by netgroup.
511 */
512 if(user_in_group_list(user,&tok[2]))
513 return True;
514 if(user_in_netgroup_list(user,&tok[2]))
515 return True;
516
517 } else {
518
519 /*
520 * Just search UNIX list.
521 */
522
523 if(user_in_group_list(user,&tok[1]))
524 return True;
525 }
526
527 } else if (*tok == '&') {
528
529 if(tok[1] == '+') {
530 /*
531 * Search netgroup list followed by UNIX list.
532 */
533 if(user_in_netgroup_list(user,&tok[2]))
534 return True;
535 if(user_in_group_list(user,&tok[2]))
536 return True;
537 } else {
538 /*
539 * Just search netgroup list.
540 */
541 if(user_in_netgroup_list(user,&tok[1]))
542 return True;
543 }
544 } else if (!name_is_local(tok)) {
545 /*
546 * If user name did not match and token is not
547 * a unix group and the token has a winbind separator in the
548 * name then see if it is a Windows group.
549 */
550
551 DOM_SID g_sid;
552 enum SID_NAME_USE name_type;
553 BOOL winbind_answered = False;
554 BOOL ret;
555
556 /* Check to see if name is a Windows group */
557 if (winbind_lookup_name(NULL, tok, &g_sid, &name_type)
558 && ( name_type==SID_NAME_DOM_GRP || name_type==SID_NAME_ALIAS ) )
559 {
560
561 /* Check if user name is in the Windows group */
562 ret = user_in_winbind_group_list(user, tok, &winbind_answered);
563
564 if (winbind_answered && ret == True) {
565 DEBUG(10,("user_in_list: user |%s| is in group |%s|\n", user, tok));
566 return ret;
567 }
568 }
569 }
570 }
571 return(False);
572 }
573
574 /* Slightly modified version of user_in_list() function to use a
575 P_LIST type instead of a P_STRING. */
576
577 BOOL user_in_plist(char *user, char **the_list)
578 {
579 char **list;
580
581 if (!the_list || !*the_list)
582 return False;
583
584 DEBUG(10,("user_in_plist: checking user %s in list\n", user));
585
586 /* First check usernames only */
587
588 list = the_list;
589
590 while(*list) {
591
592 /* Check raw username */
593
594 if (strequal_unix(user, *list)) {
595 DEBUG(10,("user_in_plist: user |%s| matches |%s|\n", user, *list));
596 return(True);
597 }
598
599 list++;
600 }
601
602 /* Now check groups */
603
604 list = the_list;
605
606 while(*list) {
607
608 /*
609 * Now check to see if any combination
610 * of UNIX and netgroups has been specified.
611 */
612
613 if(**list == '@') {
614 /*
615 * Old behaviour. Check netgroup list
616 * followed by UNIX list.
617 */
618 if(user_in_netgroup_list(user, *list + 1))
619 return True;
620 if(user_in_group_list(user, *list + 1))
621 return True;
622 } else if (**list == '+') {
623
624 if((*(*list + 1)) == '&') {
625 /*
626 * Search UNIX list followed by netgroup.
627 */
628 if(user_in_group_list(user, *list + 2))
629 return True;
630 if(user_in_netgroup_list(user, *list + 2))
631 return True;
632
633 } else {
634
635 /*
636 * Just search UNIX list.
637 */
638
639 if(user_in_group_list(user, *list + 1))
640 return True;
641 }
642
643 } else if (**list == '&') {
644
645 if(*(*list + 1) == '+') {
646 /*
647 * Search netgroup list followed by UNIX list.
648 */
649 if(user_in_netgroup_list(user, *list + 2))
650 return True;
651 if(user_in_group_list(user, *list + 2))
652 return True;
653 } else {
654 /*
655 * Just search netgroup list.
656 */
657 if(user_in_netgroup_list(user, *list + 1))
658 return True;
659 }
660 } else if (!name_is_local(*list)) {
661 /*
662 * If user name did not match and token is not
663 * a unix group and the token has a winbind separator in the
664 * name then see if it is a Windows group.
665 */
666
667 DOM_SID g_sid;
668 enum SID_NAME_USE name_type;
669 BOOL winbind_answered = False;
670 BOOL ret;
671
672 /* Check to see if name is a Windows group; Win2k native mode DCs
673 will return domain local groups; while NT4 or mixed mode 2k DCs
674 will not */
675
676 if ( winbind_lookup_name(NULL, *list, &g_sid, &name_type)
677 && ( name_type==SID_NAME_DOM_GRP || name_type==SID_NAME_ALIAS ) )
678 {
679 /* Check if user name is in the Windows group */
680 ret = user_in_winbind_group_list(user, *list, &winbind_answered);
681
682 if (winbind_answered && ret == True) {
683 DEBUG(10,("user_in_plist: user |%s| is in group |%s|\n", user, *list));
684 return ret;
685 }
686 }
687 }
688
689 list++;
690 }
691 return(False);
692 }
693
694 /* The functions below have been taken from password.c and slightly modified */
695 /****************************************************************************
696 Apply a function to upper/lower case combinations
697 of a string and return true if one of them returns true.
698 Try all combinations with N uppercase letters.
699 offset is the first char to try and change (start with 0)
700 it assumes the string starts lowercased
701 ****************************************************************************/
702
703 static struct passwd *uname_string_combinations2(char *s,int offset,struct passwd *(*fn)(char *),int N)
704 {
705 ssize_t len = (ssize_t)strlen(s);
706 int i;
707 struct passwd *ret;
708
709 if (N <= 0 || offset >= len)
710 return(fn(s));
711
712 for (i=offset;i<(len-(N-1));i++) {
713 char c = s[i];
714 if (!islower((int)c))
715 continue;
716 s[i] = toupper(c);
717 ret = uname_string_combinations2(s,i+1,fn,N-1);
718 if(ret)
719 return(ret);
720 s[i] = c;
721 }
722 return(NULL);
723 }
724
725 /****************************************************************************
726 Apply a function to upper/lower case combinations
727 of a string and return true if one of them returns true.
728 Try all combinations with up to N uppercase letters.
729 offset is the first char to try and change (start with 0)
730 it assumes the string starts lowercased
731 ****************************************************************************/
732
733 static struct passwd * uname_string_combinations(char *s,struct passwd * (*fn)(char *),int N)
734 {
735 int n;
736 struct passwd *ret;
737
738 for (n=1;n<=N;n++) {
739 ret = uname_string_combinations2(s,0,fn,n);
740 if(ret)
741 return(ret);
742 }
743 return(NULL);
744 }
745
746
747 /****************************************************************************
748 these wrappers allow appliance mode to work. In appliance mode the username
749 takes the form DOMAIN/user
750 ****************************************************************************/
751
752 struct passwd *smb_getpwnam(char *user, BOOL allow_change)
753 {
754 struct passwd *pw;
755 char *p;
756 const char *sep;
757
758 pw = Get_Pwnam(user, allow_change);
759 if (pw)
760 return pw;
761
762 /*
763 * If it is a domain qualified name and it isn't in our password
764 * database but the domain portion matches our local machine name then
765 * lookup just the username portion locally.
766 */
767
768 sep = lp_winbind_separator();
769 p = strchr(user,*sep);
770 if (p && strncasecmp(global_myname_unix(), user, strlen(global_myname_unix()))==0)
771 return Get_Pwnam(p+1, allow_change);
772
773 return NULL;
774 }
Samba GIT mirror