search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token()
[Samba.git] / source3 / auth / token_util.c
blobf3d24cdac2f1be50f22b5a6fa8467ab80efa7b5c
1 /*
2 * Unix SMB/CIFS implementation.
3 * Authentication utility functions
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Andrew Bartlett 2001
6 * Copyright (C) Jeremy Allison 2000-2001
7 * Copyright (C) Rafal Szczesniak 2002
8 * Copyright (C) Volker Lendecke 2006
9 * Copyright (C) Michael Adam 2007
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 */
24
25 /* functions moved from auth/auth_util.c to minimize linker deps */
26
27 #include "includes.h"
28 #include "lib/util_unixsids.h"
29 #include "system/passwd.h"
30 #include "auth.h"
31 #include "secrets.h"
32 #include "../lib/util/memcache.h"
33 #include "../librpc/gen_ndr/netlogon.h"
34 #include "../libcli/security/security.h"
35 #include "../lib/util/util_pw.h"
36 #include "passdb.h"
37 #include "lib/privileges.h"
38
39 /****************************************************************************
40 Check for a SID in an struct security_token
41 ****************************************************************************/
42
43 bool nt_token_check_sid ( const struct dom_sid *sid, const struct security_token *token )
44 {
45 if ( !sid || !token )
46 return False;
47
48 return security_token_has_sid(token, sid);
49 }
50
51 bool nt_token_check_domain_rid( struct security_token *token, uint32_t rid )
52 {
53 struct dom_sid domain_sid;
54
55 /* if we are a domain member, the get the domain SID, else for
56 a DC or standalone server, use our own SID */
57
58 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
59 if ( !secrets_fetch_domain_sid( lp_workgroup(),
60 &domain_sid ) ) {
61 DEBUG(1,("nt_token_check_domain_rid: Cannot lookup "
62 "SID for domain [%s]\n", lp_workgroup()));
63 return False;
64 }
65 }
66 else
67 sid_copy( &domain_sid, get_global_sam_sid() );
68
69 sid_append_rid( &domain_sid, rid );
70
71 return nt_token_check_sid( &domain_sid, token );\
72 }
73
74 /******************************************************************************
75 Create a token for the root user to be used internally by smbd.
76 This is similar to running under the context of the LOCAL_SYSTEM account
77 in Windows. This is a read-only token. Do not modify it or free() it.
78 Create a copy if you need to change it.
79 ******************************************************************************/
80
81 struct security_token *get_root_nt_token( void )
82 {
83 struct security_token *token, *for_cache;
84 struct dom_sid u_sid, g_sid;
85 struct passwd *pw;
86 void *cache_data;
87
88 cache_data = memcache_lookup_talloc(
89 NULL, SINGLETON_CACHE_TALLOC,
90 data_blob_string_const_null("root_nt_token"));
91
92 if (cache_data != NULL) {
93 return talloc_get_type_abort(
94 cache_data, struct security_token);
95 }
96
97 if ( !(pw = getpwuid(0)) ) {
98 if ( !(pw = getpwnam("root")) ) {
99 DEBUG(0,("get_root_nt_token: both getpwuid(0) "
100 "and getpwnam(\"root\") failed!\n"));
101 return NULL;
102 }
103 }
104
105 /* get the user and primary group SIDs; although the
106 BUILTIN\Administrators SId is really the one that matters here */
107
108 uid_to_sid(&u_sid, pw->pw_uid);
109 gid_to_sid(&g_sid, pw->pw_gid);
110
111 token = create_local_nt_token(talloc_tos(), &u_sid, False,
112 1, &global_sid_Builtin_Administrators);
113
114 security_token_set_privilege(token, SEC_PRIV_DISK_OPERATOR);
115
116 for_cache = token;
117
118 memcache_add_talloc(
119 NULL, SINGLETON_CACHE_TALLOC,
120 data_blob_string_const_null("root_nt_token"), &for_cache);
121
122 return token;
123 }
124
125
126 /*
127 * Add alias SIDs from memberships within the partially created token SID list
128 */
129
130 NTSTATUS add_aliases(const struct dom_sid *domain_sid,
131 struct security_token *token)
132 {
133 uint32_t *aliases;
134 size_t i, num_aliases;
135 NTSTATUS status;
136 TALLOC_CTX *tmp_ctx;
137
138 if (!(tmp_ctx = talloc_init("add_aliases"))) {
139 return NT_STATUS_NO_MEMORY;
140 }
141
142 aliases = NULL;
143 num_aliases = 0;
144
145 status = pdb_enum_alias_memberships(tmp_ctx, domain_sid,
146 token->sids,
147 token->num_sids,
148 &aliases, &num_aliases);
149
150 if (!NT_STATUS_IS_OK(status)) {
151 DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n",
152 nt_errstr(status)));
153 goto done;
154 }
155
156 for (i=0; i<num_aliases; i++) {
157 struct dom_sid alias_sid;
158 sid_compose(&alias_sid, domain_sid, aliases[i]);
159 status = add_sid_to_array_unique(token, &alias_sid,
160 &token->sids,
161 &token->num_sids);
162 if (!NT_STATUS_IS_OK(status)) {
163 DEBUG(0, ("add_sid_to_array failed\n"));
164 goto done;
165 }
166 }
167
168 done:
169 TALLOC_FREE(tmp_ctx);
170 return NT_STATUS_OK;
171 }
172
173 /*******************************************************************
174 *******************************************************************/
175
176 static NTSTATUS add_builtin_administrators(struct security_token *token,
177 const struct dom_sid *dom_sid)
178 {
179 struct dom_sid domadm;
180 NTSTATUS status;
181
182 /* nothing to do if we aren't in a domain */
183
184 if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) {
185 return NT_STATUS_OK;
186 }
187
188 /* Find the Domain Admins SID */
189
190 if ( IS_DC ) {
191 sid_copy( &domadm, get_global_sam_sid() );
192 } else {
193 if (dom_sid == NULL) {
194 return NT_STATUS_INVALID_PARAMETER_MIX;
195 }
196 sid_copy(&domadm, dom_sid);
197 }
198 sid_append_rid( &domadm, DOMAIN_RID_ADMINS );
199
200 /* Add Administrators if the user beloongs to Domain Admins */
201
202 if ( nt_token_check_sid( &domadm, token ) ) {
203 status = add_sid_to_array(token,
204 &global_sid_Builtin_Administrators,
205 &token->sids, &token->num_sids);
206 if (!NT_STATUS_IS_OK(status)) {
207 return status;
208 }
209 }
210
211 return NT_STATUS_OK;
212 }
213
214 static NTSTATUS add_local_groups(struct security_token *result,
215 bool is_guest);
216 static NTSTATUS finalize_local_nt_token(struct security_token *result,
217 bool is_guest);
218
219 NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3,
220 const struct extra_auth_info *extra,
221 struct dom_sid *sid)
222 {
223 /* USER SID */
224 if (info3->base.rid == (uint32_t)(-1)) {
225 /* this is a signal the user was fake and generated,
226 * the actual SID we want to use is stored in the extra
227 * sids */
228 if (is_null_sid(&extra->user_sid)) {
229 /* we couldn't find the user sid, bail out */
230 DEBUG(3, ("Invalid user SID\n"));
231 return NT_STATUS_UNSUCCESSFUL;
232 }
233 sid_copy(sid, &extra->user_sid);
234 } else {
235 sid_copy(sid, info3->base.domain_sid);
236 sid_append_rid(sid, info3->base.rid);
237 }
238 return NT_STATUS_OK;
239 }
240
241 NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
242 bool is_guest,
243 const struct netr_SamInfo3 *info3,
244 const struct extra_auth_info *extra,
245 struct security_token **ntok)
246 {
247 struct security_token *usrtok = NULL;
248 NTSTATUS status;
249 int i;
250
251 DEBUG(10, ("Create local NT token for %s\n",
252 info3->base.account_name.string));
253
254 usrtok = talloc_zero(mem_ctx, struct security_token);
255 if (!usrtok) {
256 DEBUG(0, ("talloc failed\n"));
257 return NT_STATUS_NO_MEMORY;
258 }
259
260 /* Add the user and primary group sid FIRST */
261 /* check if the user rid is the special "Domain Guests" rid.
262 * If so pick the first sid for the extra sids instead as it
263 * is a local fake account */
264 usrtok->sids = talloc_array(usrtok, struct dom_sid, 2);
265 if (!usrtok->sids) {
266 TALLOC_FREE(usrtok);
267 return NT_STATUS_NO_MEMORY;
268 }
269 usrtok->num_sids = 2;
270
271 status = get_user_sid_info3_and_extra(info3, extra, &usrtok->sids[0]);
272 if (!NT_STATUS_IS_OK(status)) {
273 TALLOC_FREE(usrtok);
274 return status;
275 }
276
277 /* GROUP SID */
278 if (info3->base.primary_gid == (uint32_t)(-1)) {
279 /* this is a signal the user was fake and generated,
280 * the actual SID we want to use is stored in the extra
281 * sids */
282 if (is_null_sid(&extra->pgid_sid)) {
283 /* we couldn't find the user sid, bail out */
284 DEBUG(3, ("Invalid group SID\n"));
285 TALLOC_FREE(usrtok);
286 return NT_STATUS_UNSUCCESSFUL;
287 }
288 sid_copy(&usrtok->sids[1], &extra->pgid_sid);
289 } else {
290 sid_copy(&usrtok->sids[1], info3->base.domain_sid);
291 sid_append_rid(&usrtok->sids[1],
292 info3->base.primary_gid);
293 }
294
295 /* Now the SIDs we got from authentication. These are the ones from
296 * the info3 struct or from the pdb_enum_group_memberships, depending
297 * on who authenticated the user.
298 * Note that we start the for loop at "1" here, we already added the
299 * first group sid as primary above. */
300
301 for (i = 0; i < info3->base.groups.count; i++) {
302 struct dom_sid tmp_sid;
303
304 sid_copy(&tmp_sid, info3->base.domain_sid);
305 sid_append_rid(&tmp_sid, info3->base.groups.rids[i].rid);
306
307 status = add_sid_to_array_unique(usrtok, &tmp_sid,
308 &usrtok->sids,
309 &usrtok->num_sids);
310 if (!NT_STATUS_IS_OK(status)) {
311 DEBUG(3, ("Failed to add SID to nt token\n"));
312 TALLOC_FREE(usrtok);
313 return status;
314 }
315 }
316
317 /* now also add extra sids if they are not the special user/group
318 * sids */
319 for (i = 0; i < info3->sidcount; i++) {
320 status = add_sid_to_array_unique(usrtok,
321 info3->sids[i].sid,
322 &usrtok->sids,
323 &usrtok->num_sids);
324 if (!NT_STATUS_IS_OK(status)) {
325 DEBUG(3, ("Failed to add SID to nt token\n"));
326 TALLOC_FREE(usrtok);
327 return status;
328 }
329 }
330
331 status = add_local_groups(usrtok, is_guest);
332 if (!NT_STATUS_IS_OK(status)) {
333 DEBUG(3, ("Failed to add local groups\n"));
334 TALLOC_FREE(usrtok);
335 return status;
336 }
337
338 status = finalize_local_nt_token(usrtok, is_guest);
339 if (!NT_STATUS_IS_OK(status)) {
340 DEBUG(3, ("Failed to finalize nt token\n"));
341 TALLOC_FREE(usrtok);
342 return status;
343 }
344
345 *ntok = usrtok;
346 return NT_STATUS_OK;
347 }
348
349 /*******************************************************************
350 Create a NT token for the user, expanding local aliases
351 *******************************************************************/
352
353 struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
354 const struct dom_sid *user_sid,
355 bool is_guest,
356 int num_groupsids,
357 const struct dom_sid *groupsids)
358 {
359 struct security_token *result = NULL;
360 int i;
361 NTSTATUS status;
362
363 DEBUG(10, ("Create local NT token for %s\n",
364 sid_string_dbg(user_sid)));
365
366 if (!(result = talloc_zero(mem_ctx, struct security_token))) {
367 DEBUG(0, ("talloc failed\n"));
368 return NULL;
369 }
370
371 /* Add the user and primary group sid */
372
373 status = add_sid_to_array(result, user_sid,
374 &result->sids, &result->num_sids);
375 if (!NT_STATUS_IS_OK(status)) {
376 TALLOC_FREE(result);
377 return NULL;
378 }
379
380 /* For guest, num_groupsids may be zero. */
381 if (num_groupsids) {
382 status = add_sid_to_array(result, &groupsids[0],
383 &result->sids,
384 &result->num_sids);
385 if (!NT_STATUS_IS_OK(status)) {
386 TALLOC_FREE(result);
387 return NULL;
388 }
389 }
390
391 /* Now the SIDs we got from authentication. These are the ones from
392 * the info3 struct or from the pdb_enum_group_memberships, depending
393 * on who authenticated the user.
394 * Note that we start the for loop at "1" here, we already added the
395 * first group sid as primary above. */
396
397 for (i=1; i<num_groupsids; i++) {
398 status = add_sid_to_array_unique(result, &groupsids[i],
399 &result->sids,
400 &result->num_sids);
401 if (!NT_STATUS_IS_OK(status)) {
402 TALLOC_FREE(result);
403 return NULL;
404 }
405 }
406
407 status = add_local_groups(result, is_guest);
408 if (!NT_STATUS_IS_OK(status)) {
409 TALLOC_FREE(result);
410 return NULL;
411 }
412
413 status = finalize_local_nt_token(result, is_guest);
414 if (!NT_STATUS_IS_OK(status)) {
415 TALLOC_FREE(result);
416 return NULL;
417 }
418
419 return result;
420 }
421
422 /***************************************************
423 Merge in any groups from /etc/group.
424 ***************************************************/
425
426 static NTSTATUS add_local_groups(struct security_token *result,
427 bool is_guest)
428 {
429 gid_t *gids = NULL;
430 uint32_t getgroups_num_group_sids = 0;
431 struct passwd *pass = NULL;
432 TALLOC_CTX *tmp_ctx = talloc_stackframe();
433 int i;
434
435 if (is_guest) {
436 /*
437 * Guest is a special case. It's always
438 * a user that can be looked up, but
439 * result->sids[0] is set to DOMAIN\Guest.
440 * Lookup by account name instead.
441 */
442 pass = Get_Pwnam_alloc(tmp_ctx, lp_guest_account());
443 } else {
444 uid_t uid;
445
446 /* For non-guest result->sids[0] is always the user sid. */
447 if (!sid_to_uid(&result->sids[0], &uid)) {
448 /*
449 * Non-mappable SID like SYSTEM.
450 * Can't be in any /etc/group groups.
451 */
452 TALLOC_FREE(tmp_ctx);
453 return NT_STATUS_OK;
454 }
455
456 pass = getpwuid_alloc(tmp_ctx, uid);
457 if (pass == NULL) {
458 DEBUG(1, ("SID %s -> getpwuid(%u) failed\n",
459 sid_string_dbg(&result->sids[0]),
460 (unsigned int)uid));
461 }
462 }
463
464 if (!pass) {
465 TALLOC_FREE(tmp_ctx);
466 return NT_STATUS_UNSUCCESSFUL;
467 }
468
469 /*
470 * Now we must get any groups this user has been
471 * added to in /etc/group and merge them in.
472 * This has to be done in every code path
473 * that creates an NT token, as remote users
474 * may have been added to the local /etc/group
475 * database. Tokens created merely from the
476 * info3 structs (via the DC or via the krb5 PAC)
477 * won't have these local groups. Note the
478 * groups added here will only be UNIX groups
479 * (S-1-22-2-XXXX groups) as getgroups_unix_user()
480 * turns off winbindd before calling getgroups().
481 *
482 * NB. This is duplicating work already
483 * done in the 'unix_user:' case of
484 * create_token_from_sid() but won't
485 * do anything other than be inefficient
486 * in that case.
487 */
488
489 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
490 &gids, &getgroups_num_group_sids)) {
491 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
492 pass->pw_name));
493 TALLOC_FREE(tmp_ctx);
494 return NT_STATUS_UNSUCCESSFUL;
495 }
496
497 for (i=0; i<getgroups_num_group_sids; i++) {
498 NTSTATUS status;
499 struct dom_sid grp_sid;
500 gid_to_sid(&grp_sid, gids[i]);
501
502 status = add_sid_to_array_unique(result,
503 &grp_sid,
504 &result->sids,
505 &result->num_sids);
506 if (!NT_STATUS_IS_OK(status)) {
507 DEBUG(3, ("Failed to add UNIX SID to nt token\n"));
508 TALLOC_FREE(tmp_ctx);
509 return status;
510 }
511 }
512 TALLOC_FREE(tmp_ctx);
513 return NT_STATUS_OK;
514 }
515
516 static NTSTATUS finalize_local_nt_token(struct security_token *result,
517 bool is_guest)
518 {
519 struct dom_sid _dom_sid = { 0, };
520 struct dom_sid *domain_sid = NULL;
521 NTSTATUS status;
522 struct acct_info *info;
523 bool ok;
524
525 /* Add in BUILTIN sids */
526
527 status = add_sid_to_array(result, &global_sid_World,
528 &result->sids, &result->num_sids);
529 if (!NT_STATUS_IS_OK(status)) {
530 return status;
531 }
532 status = add_sid_to_array(result, &global_sid_Network,
533 &result->sids, &result->num_sids);
534 if (!NT_STATUS_IS_OK(status)) {
535 return status;
536 }
537
538 if (is_guest) {
539 status = add_sid_to_array(result, &global_sid_Builtin_Guests,
540 &result->sids,
541 &result->num_sids);
542 if (!NT_STATUS_IS_OK(status)) {
543 return status;
544 }
545 } else {
546 status = add_sid_to_array(result,
547 &global_sid_Authenticated_Users,
548 &result->sids,
549 &result->num_sids);
550 if (!NT_STATUS_IS_OK(status)) {
551 return status;
552 }
553 }
554
555 become_root();
556 ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
557 if (ok) {
558 domain_sid = &_dom_sid;
559 } else {
560 DEBUG(3, ("Failed to fetch domain sid for %s\n",
561 lp_workgroup()));
562 }
563 unbecome_root();
564
565 info = talloc_zero(talloc_tos(), struct acct_info);
566 if (info == NULL) {
567 DEBUG(0, ("talloc failed!\n"));
568 return NT_STATUS_NO_MEMORY;
569 }
570
571 /* Deal with the BUILTIN\Administrators group. If the SID can
572 be resolved then assume that the add_aliasmem( S-1-5-32 )
573 handled it. */
574
575 status = pdb_get_aliasinfo(&global_sid_Builtin_Administrators, info);
576 if (!NT_STATUS_IS_OK(status)) {
577
578 become_root();
579 status = create_builtin_administrators(domain_sid);
580 unbecome_root();
581
582 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
583 /* Add BUILTIN\Administrators directly to token. */
584 status = add_builtin_administrators(result, domain_sid);
585 if ( !NT_STATUS_IS_OK(status) ) {
586 DEBUG(3, ("Failed to check for local "
587 "Administrators membership (%s)\n",
588 nt_errstr(status)));
589 }
590 } else if (!NT_STATUS_IS_OK(status)) {
591 DEBUG(2, ("WARNING: Failed to create "
592 "BUILTIN\\Administrators group! Can "
593 "Winbind allocate gids?\n"));
594 }
595 }
596
597 /* Deal with the BUILTIN\Users group. If the SID can
598 be resolved then assume that the add_aliasmem( S-1-5-32 )
599 handled it. */
600
601 status = pdb_get_aliasinfo(&global_sid_Builtin_Users, info);
602 if (!NT_STATUS_IS_OK(status)) {
603
604 become_root();
605 status = create_builtin_users(domain_sid);
606 unbecome_root();
607
608 if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) &&
609 !NT_STATUS_IS_OK(status))
610 {
611 DEBUG(2, ("WARNING: Failed to create BUILTIN\\Users group! "
612 "Can Winbind allocate gids?\n"));
613 }
614 }
615
616 TALLOC_FREE(info);
617
618 /* Deal with local groups */
619
620 if (lp_winbind_nested_groups()) {
621
622 become_root();
623
624 /* Now add the aliases. First the one from our local SAM */
625
626 status = add_aliases(get_global_sam_sid(), result);
627
628 if (!NT_STATUS_IS_OK(status)) {
629 unbecome_root();
630 return status;
631 }
632
633 /* Finally the builtin ones */
634
635 status = add_aliases(&global_sid_Builtin, result);
636
637 if (!NT_STATUS_IS_OK(status)) {
638 unbecome_root();
639 return status;
640 }
641
642 unbecome_root();
643 }
644
645 /* Add privileges based on current user sids */
646
647 get_privileges_for_sids(&result->privilege_mask, result->sids,
648 result->num_sids);
649
650 return NT_STATUS_OK;
651 }
652
653 /****************************************************************************
654 prints a UNIX 'token' to debug output.
655 ****************************************************************************/
656
657 void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
658 int n_groups, gid_t *groups)
659 {
660 int i;
661 DEBUGC(dbg_class, dbg_lev,
662 ("UNIX token of user %ld\n", (long int)uid));
663
664 DEBUGADDC(dbg_class, dbg_lev,
665 ("Primary group is %ld and contains %i supplementary "
666 "groups\n", (long int)gid, n_groups));
667 for (i = 0; i < n_groups; i++)
668 DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i,
669 (long int)groups[i]));
670 }
671
672 /*
673 * Create an artificial NT token given just a domain SID.
674 *
675 * We have 3 cases:
676 *
677 * unmapped unix users: Go directly to nss to find the user's group.
678 *
679 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
680 *
681 * If the user is provided by winbind, the primary gid is set to "domain
682 * users" of the user's domain. For an explanation why this is necessary, see
683 * the thread starting at
684 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
685 */
686
687 static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
688 const struct dom_sid *user_sid,
689 bool is_guest,
690 uid_t *uid, gid_t *gid,
691 char **found_username,
692 struct security_token **token)
693 {
694 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
695 TALLOC_CTX *tmp_ctx = talloc_stackframe();
696 gid_t *gids;
697 struct dom_sid *group_sids;
698 struct dom_sid tmp_sid;
699 uint32_t num_group_sids;
700 uint32_t num_gids;
701 uint32_t i;
702 uint32_t high, low;
703 bool range_ok;
704
705 if (sid_check_is_in_our_sam(user_sid)) {
706 bool ret;
707 uint32_t pdb_num_group_sids;
708 /* This is a passdb user, so ask passdb */
709
710 struct samu *sam_acct = NULL;
711
712 if ( !(sam_acct = samu_new( tmp_ctx )) ) {
713 result = NT_STATUS_NO_MEMORY;
714 goto done;
715 }
716
717 become_root();
718 ret = pdb_getsampwsid(sam_acct, user_sid);
719 unbecome_root();
720
721 if (!ret) {
722 DEBUG(1, ("pdb_getsampwsid(%s) failed\n",
723 sid_string_dbg(user_sid)));
724 DEBUGADD(1, ("Fall back to unix user\n"));
725 goto unix_user;
726 }
727
728 result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
729 &group_sids, &gids,
730 &pdb_num_group_sids);
731 if (!NT_STATUS_IS_OK(result)) {
732 DEBUG(1, ("enum_group_memberships failed for %s: "
733 "%s\n", sid_string_dbg(user_sid),
734 nt_errstr(result)));
735 DEBUGADD(1, ("Fall back to unix uid lookup\n"));
736 goto unix_user;
737 }
738 num_group_sids = pdb_num_group_sids;
739
740 /* see the smb_panic() in pdb_default_enum_group_memberships */
741 SMB_ASSERT(num_group_sids > 0);
742
743 /* Ensure we're returning the found_username on the right context. */
744 *found_username = talloc_strdup(mem_ctx,
745 pdb_get_username(sam_acct));
746
747 if (*found_username == NULL) {
748 result = NT_STATUS_NO_MEMORY;
749 goto done;
750 }
751
752 /*
753 * If the SID from lookup_name() was the guest sid, passdb knows
754 * about the mapping of guest sid to lp_guest_account()
755 * username and will return the unix_pw info for a guest
756 * user. Use it if it's there, else lookup the *uid details
757 * using Get_Pwnam_alloc(). See bug #6291 for details. JRA.
758 */
759
760 /* We must always assign the *uid. */
761 if (sam_acct->unix_pw == NULL) {
762 struct passwd *pwd = Get_Pwnam_alloc(sam_acct, *found_username );
763 if (!pwd) {
764 DEBUG(10, ("Get_Pwnam_alloc failed for %s\n",
765 *found_username));
766 result = NT_STATUS_NO_SUCH_USER;
767 goto done;
768 }
769 result = samu_set_unix(sam_acct, pwd );
770 if (!NT_STATUS_IS_OK(result)) {
771 DEBUG(10, ("samu_set_unix failed for %s\n",
772 *found_username));
773 result = NT_STATUS_NO_SUCH_USER;
774 goto done;
775 }
776 }
777 *uid = sam_acct->unix_pw->pw_uid;
778
779 } else if (sid_check_is_in_unix_users(user_sid)) {
780 uint32_t getgroups_num_group_sids;
781 /* This is a unix user not in passdb. We need to ask nss
782 * directly, without consulting passdb */
783
784 struct passwd *pass;
785
786 /*
787 * This goto target is used as a fallback for the passdb
788 * case. The concrete bug report is when passdb gave us an
789 * unmapped gid.
790 */
791
792 unix_user:
793
794 if (!sid_to_uid(user_sid, uid)) {
795 DEBUG(1, ("unix_user case, sid_to_uid for %s failed\n",
796 sid_string_dbg(user_sid)));
797 result = NT_STATUS_NO_SUCH_USER;
798 goto done;
799 }
800
801 uid_to_unix_users_sid(*uid, &tmp_sid);
802 user_sid = &tmp_sid;
803
804 pass = getpwuid_alloc(tmp_ctx, *uid);
805 if (pass == NULL) {
806 DEBUG(1, ("getpwuid(%u) failed\n",
807 (unsigned int)*uid));
808 goto done;
809 }
810
811 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
812 &gids, &getgroups_num_group_sids)) {
813 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
814 pass->pw_name));
815 goto done;
816 }
817 num_group_sids = getgroups_num_group_sids;
818
819 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids);
820 if (group_sids == NULL) {
821 DEBUG(1, ("talloc_array failed\n"));
822 result = NT_STATUS_NO_MEMORY;
823 goto done;
824 }
825
826 for (i=0; i<num_group_sids; i++) {
827 gid_to_sid(&group_sids[i], gids[i]);
828 }
829
830 /* In getgroups_unix_user we always set the primary gid */
831 SMB_ASSERT(num_group_sids > 0);
832
833 /* Ensure we're returning the found_username on the right context. */
834 *found_username = talloc_strdup(mem_ctx, pass->pw_name);
835 if (*found_username == NULL) {
836 result = NT_STATUS_NO_MEMORY;
837 goto done;
838 }
839 } else {
840
841 /* This user is from winbind, force the primary gid to the
842 * user's "domain users" group. Under certain circumstances
843 * (user comes from NT4), this might be a loss of
844 * information. But we can not rely on winbind getting the
845 * correct info. AD might prohibit winbind looking up that
846 * information. */
847
848 /* We must always assign the *uid. */
849 if (!sid_to_uid(user_sid, uid)) {
850 DEBUG(1, ("winbindd case, sid_to_uid for %s failed\n",
851 sid_string_dbg(user_sid)));
852 result = NT_STATUS_NO_SUCH_USER;
853 goto done;
854 }
855
856 num_group_sids = 1;
857 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids);
858 if (group_sids == NULL) {
859 DEBUG(1, ("talloc_array failed\n"));
860 result = NT_STATUS_NO_MEMORY;
861 goto done;
862 }
863
864 gids = talloc_array(tmp_ctx, gid_t, num_group_sids);
865 if (gids == NULL) {
866 result = NT_STATUS_NO_MEMORY;
867 goto done;
868 }
869
870 sid_copy(&group_sids[0], user_sid);
871 sid_split_rid(&group_sids[0], NULL);
872 sid_append_rid(&group_sids[0], DOMAIN_RID_USERS);
873
874 if (!sid_to_gid(&group_sids[0], &gids[0])) {
875 DEBUG(1, ("sid_to_gid(%s) failed\n",
876 sid_string_dbg(&group_sids[0])));
877 goto done;
878 }
879
880 *found_username = NULL;
881 }
882
883 *gid = gids[0];
884
885 /* Add the "Unix Group" SID for each gid to catch mapped groups
886 and their Unix equivalent. This is to solve the backwards
887 compatibility problem of 'valid users = +ntadmin' where
888 ntadmin has been paired with "Domain Admins" in the group
889 mapping table. Otherwise smb.conf would need to be changed
890 to 'valid user = "Domain Admins"'. --jerry */
891
892 num_gids = num_group_sids;
893 range_ok = lp_idmap_default_range(&low, &high);
894 for ( i=0; i<num_gids; i++ ) {
895 struct dom_sid unix_group_sid;
896
897 /* don't pickup anything managed by Winbind */
898 if (range_ok && (gids[i] >= low) && (gids[i] <= high)) {
899 continue;
900 }
901
902 gid_to_unix_groups_sid(gids[i], &unix_group_sid);
903
904 result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
905 &group_sids, &num_group_sids);
906 if (!NT_STATUS_IS_OK(result)) {
907 goto done;
908 }
909 }
910
911 /* Ensure we're creating the nt_token on the right context. */
912 *token = create_local_nt_token(mem_ctx, user_sid,
913 is_guest, num_group_sids, group_sids);
914
915 if (*token == NULL) {
916 result = NT_STATUS_NO_MEMORY;
917 goto done;
918 }
919
920 result = NT_STATUS_OK;
921 done:
922 TALLOC_FREE(tmp_ctx);
923 return result;
924 }
925
926 /*
927 * Create an artificial NT token given just a username. (Initially intended
928 * for force user)
929 *
930 * We go through lookup_name() to avoid problems we had with 'winbind use
931 * default domain'.
932 *
933 * We have 3 cases:
934 *
935 * unmapped unix users: Go directly to nss to find the user's group.
936 *
937 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
938 *
939 * If the user is provided by winbind, the primary gid is set to "domain
940 * users" of the user's domain. For an explanation why this is necessary, see
941 * the thread starting at
942 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
943 */
944
945 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
946 bool is_guest,
947 uid_t *uid, gid_t *gid,
948 char **found_username,
949 struct security_token **token)
950 {
951 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
952 TALLOC_CTX *tmp_ctx = talloc_stackframe();
953 struct dom_sid user_sid;
954 enum lsa_SidType type;
955
956 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
957 NULL, NULL, &user_sid, &type)) {
958 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
959 goto done;
960 }
961
962 if (type != SID_NAME_USER) {
963 DEBUG(1, ("%s is a %s, not a user\n", username,
964 sid_type_lookup(type)));
965 goto done;
966 }
967
968 result = create_token_from_sid(mem_ctx, &user_sid, is_guest, uid, gid, found_username, token);
969
970 if (!NT_STATUS_IS_OK(result)) {
971 goto done;
972 }
973
974 /*
975 * If result == NT_STATUS_OK then
976 * we know we have a valid token. Ensure
977 * we also have a valid username to match.
978 */
979
980 if (*found_username == NULL) {
981 *found_username = talloc_strdup(mem_ctx, username);
982 if (*found_username == NULL) {
983 result = NT_STATUS_NO_MEMORY;
984 }
985 }
986
987 done:
988 TALLOC_FREE(tmp_ctx);
989 return result;
990 }
991
992 /***************************************************************************
993 Build upon create_token_from_sid:
994
995 Expensive helper function to figure out whether a user given its sid is
996 member of a particular group.
997 ***************************************************************************/
998
999 bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid)
1000 {
1001 NTSTATUS status;
1002 uid_t uid;
1003 gid_t gid;
1004 char *found_username;
1005 struct security_token *token;
1006 bool result = false;
1007 enum lsa_SidType type;
1008 TALLOC_CTX *mem_ctx = talloc_stackframe();
1009
1010 if (!lookup_sid(mem_ctx, sid,
1011 NULL, NULL, &type)) {
1012 DEBUG(1, ("lookup_sid for %s failed\n", dom_sid_string(mem_ctx, sid)));
1013 goto done;
1014 }
1015
1016 if (type != SID_NAME_USER) {
1017 DEBUG(5, ("%s is a %s, not a user\n", dom_sid_string(mem_ctx, sid),
1018 sid_type_lookup(type)));
1019 goto done;
1020 }
1021
1022 status = create_token_from_sid(mem_ctx, sid, False,
1023 &uid, &gid, &found_username,
1024 &token);
1025
1026 if (!NT_STATUS_IS_OK(status)) {
1027 DEBUG(10, ("could not create token for %s\n", dom_sid_string(mem_ctx, sid)));
1028 goto done;
1029 }
1030
1031 result = security_token_has_sid(token, group_sid);
1032
1033 done:
1034 TALLOC_FREE(mem_ctx);
1035 return result;
1036 }
1037
1038 /***************************************************************************
1039 Build upon create_token_from_username:
1040
1041 Expensive helper function to figure out whether a user given its name is
1042 member of a particular group.
1043 ***************************************************************************/
1044
1045 bool user_in_group_sid(const char *username, const struct dom_sid *group_sid)
1046 {
1047 NTSTATUS status;
1048 uid_t uid;
1049 gid_t gid;
1050 char *found_username;
1051 struct security_token *token;
1052 bool result;
1053 TALLOC_CTX *mem_ctx = talloc_stackframe();
1054
1055 status = create_token_from_username(mem_ctx, username, False,
1056 &uid, &gid, &found_username,
1057 &token);
1058
1059 if (!NT_STATUS_IS_OK(status)) {
1060 DEBUG(10, ("could not create token for %s\n", username));
1061 TALLOC_FREE(mem_ctx);
1062 return False;
1063 }
1064
1065 result = security_token_has_sid(token, group_sid);
1066
1067 TALLOC_FREE(mem_ctx);
1068 return result;
1069 }
1070
1071 bool user_in_group(const char *username, const char *groupname)
1072 {
1073 TALLOC_CTX *mem_ctx = talloc_stackframe();
1074 struct dom_sid group_sid;
1075 bool ret;
1076
1077 ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL,
1078 NULL, NULL, &group_sid, NULL);
1079 TALLOC_FREE(mem_ctx);
1080
1081 if (!ret) {
1082 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
1083 return False;
1084 }
1085
1086 return user_in_group_sid(username, &group_sid);
1087 }
1088
1089 /* END */
Samba GIT mirror