search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration
[Samba.git] / source3 / auth / token_util.c
blob21ccb0d1fe75471992f3a4e5cfa9a615fec4379a
1 /*
2 * Unix SMB/CIFS implementation.
3 * Authentication utility functions
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Andrew Bartlett 2001
6 * Copyright (C) Jeremy Allison 2000-2001
7 * Copyright (C) Rafal Szczesniak 2002
8 * Copyright (C) Volker Lendecke 2006
9 * Copyright (C) Michael Adam 2007
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 */
24
25 /* functions moved from auth/auth_util.c to minimize linker deps */
26
27 #include "includes.h"
28 #include "lib/util_unixsids.h"
29 #include "system/passwd.h"
30 #include "auth.h"
31 #include "secrets.h"
32 #include "../lib/util/memcache.h"
33 #include "../librpc/gen_ndr/netlogon.h"
34 #include "../libcli/security/security.h"
35 #include "../lib/util/util_pw.h"
36 #include "passdb.h"
37 #include "lib/privileges.h"
38
39 /****************************************************************************
40 Check for a SID in an struct security_token
41 ****************************************************************************/
42
43 bool nt_token_check_sid ( const struct dom_sid *sid, const struct security_token *token )
44 {
45 if ( !sid || !token )
46 return False;
47
48 return security_token_has_sid(token, sid);
49 }
50
51 bool nt_token_check_domain_rid( struct security_token *token, uint32_t rid )
52 {
53 struct dom_sid domain_sid;
54
55 /* if we are a domain member, the get the domain SID, else for
56 a DC or standalone server, use our own SID */
57
58 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
59 if ( !secrets_fetch_domain_sid( lp_workgroup(),
60 &domain_sid ) ) {
61 DEBUG(1,("nt_token_check_domain_rid: Cannot lookup "
62 "SID for domain [%s]\n", lp_workgroup()));
63 return False;
64 }
65 }
66 else
67 sid_copy( &domain_sid, get_global_sam_sid() );
68
69 sid_append_rid( &domain_sid, rid );
70
71 return nt_token_check_sid( &domain_sid, token );\
72 }
73
74 /******************************************************************************
75 Create a token for the root user to be used internally by smbd.
76 This is similar to running under the context of the LOCAL_SYSTEM account
77 in Windows. This is a read-only token. Do not modify it or free() it.
78 Create a copy if you need to change it.
79 ******************************************************************************/
80
81 struct security_token *get_root_nt_token( void )
82 {
83 struct security_token *token, *for_cache;
84 struct dom_sid u_sid, g_sid;
85 struct passwd *pw;
86 void *cache_data;
87
88 cache_data = memcache_lookup_talloc(
89 NULL, SINGLETON_CACHE_TALLOC,
90 data_blob_string_const_null("root_nt_token"));
91
92 if (cache_data != NULL) {
93 return talloc_get_type_abort(
94 cache_data, struct security_token);
95 }
96
97 if ( !(pw = getpwuid(0)) ) {
98 if ( !(pw = getpwnam("root")) ) {
99 DEBUG(0,("get_root_nt_token: both getpwuid(0) "
100 "and getpwnam(\"root\") failed!\n"));
101 return NULL;
102 }
103 }
104
105 /* get the user and primary group SIDs; although the
106 BUILTIN\Administrators SId is really the one that matters here */
107
108 uid_to_sid(&u_sid, pw->pw_uid);
109 gid_to_sid(&g_sid, pw->pw_gid);
110
111 token = create_local_nt_token(talloc_tos(), &u_sid, False,
112 1, &global_sid_Builtin_Administrators);
113
114 security_token_set_privilege(token, SEC_PRIV_DISK_OPERATOR);
115
116 for_cache = token;
117
118 memcache_add_talloc(
119 NULL, SINGLETON_CACHE_TALLOC,
120 data_blob_string_const_null("root_nt_token"), &for_cache);
121
122 return token;
123 }
124
125
126 /*
127 * Add alias SIDs from memberships within the partially created token SID list
128 */
129
130 NTSTATUS add_aliases(const struct dom_sid *domain_sid,
131 struct security_token *token)
132 {
133 uint32_t *aliases;
134 size_t i, num_aliases;
135 NTSTATUS status;
136 TALLOC_CTX *tmp_ctx;
137
138 if (!(tmp_ctx = talloc_init("add_aliases"))) {
139 return NT_STATUS_NO_MEMORY;
140 }
141
142 aliases = NULL;
143 num_aliases = 0;
144
145 status = pdb_enum_alias_memberships(tmp_ctx, domain_sid,
146 token->sids,
147 token->num_sids,
148 &aliases, &num_aliases);
149
150 if (!NT_STATUS_IS_OK(status)) {
151 DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n",
152 nt_errstr(status)));
153 goto done;
154 }
155
156 for (i=0; i<num_aliases; i++) {
157 struct dom_sid alias_sid;
158 sid_compose(&alias_sid, domain_sid, aliases[i]);
159 status = add_sid_to_array_unique(token, &alias_sid,
160 &token->sids,
161 &token->num_sids);
162 if (!NT_STATUS_IS_OK(status)) {
163 DEBUG(0, ("add_sid_to_array failed\n"));
164 goto done;
165 }
166 }
167
168 done:
169 TALLOC_FREE(tmp_ctx);
170 return NT_STATUS_OK;
171 }
172
173 /*******************************************************************
174 *******************************************************************/
175
176 static NTSTATUS add_builtin_administrators(struct security_token *token,
177 const struct dom_sid *dom_sid)
178 {
179 struct dom_sid domadm;
180 NTSTATUS status;
181
182 /* nothing to do if we aren't in a domain */
183
184 if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) {
185 return NT_STATUS_OK;
186 }
187
188 /* Find the Domain Admins SID */
189
190 if ( IS_DC ) {
191 sid_copy( &domadm, get_global_sam_sid() );
192 } else {
193 if (dom_sid == NULL) {
194 return NT_STATUS_INVALID_PARAMETER_MIX;
195 }
196 sid_copy(&domadm, dom_sid);
197 }
198 sid_append_rid( &domadm, DOMAIN_RID_ADMINS );
199
200 /* Add Administrators if the user beloongs to Domain Admins */
201
202 if ( nt_token_check_sid( &domadm, token ) ) {
203 status = add_sid_to_array(token,
204 &global_sid_Builtin_Administrators,
205 &token->sids, &token->num_sids);
206 if (!NT_STATUS_IS_OK(status)) {
207 return status;
208 }
209 }
210
211 return NT_STATUS_OK;
212 }
213
214 static NTSTATUS add_builtin_guests(struct security_token *token,
215 const struct dom_sid *dom_sid)
216 {
217 struct dom_sid tmp_sid;
218 NTSTATUS status;
219
220 /*
221 * First check the local GUEST account.
222 */
223 sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
224
225 if (nt_token_check_sid(&tmp_sid, token)) {
226 status = add_sid_to_array_unique(token,
227 &global_sid_Builtin_Guests,
228 &token->sids, &token->num_sids);
229 if (!NT_STATUS_IS_OK(status)) {
230 return status;
231 }
232
233 return NT_STATUS_OK;
234 }
235
236 /*
237 * First check the local GUESTS group.
238 */
239 sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUESTS);
240
241 if (nt_token_check_sid(&tmp_sid, token)) {
242 status = add_sid_to_array_unique(token,
243 &global_sid_Builtin_Guests,
244 &token->sids, &token->num_sids);
245 if (!NT_STATUS_IS_OK(status)) {
246 return status;
247 }
248
249 return NT_STATUS_OK;
250 }
251
252 if (lp_server_role() != ROLE_DOMAIN_MEMBER) {
253 return NT_STATUS_OK;
254 }
255
256 if (dom_sid == NULL) {
257 return NT_STATUS_INVALID_PARAMETER_MIX;
258 }
259
260 /*
261 * First check the domain GUESTS group.
262 */
263 sid_copy(&tmp_sid, dom_sid);
264 sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS);
265
266 if (nt_token_check_sid(&tmp_sid, token)) {
267 status = add_sid_to_array_unique(token,
268 &global_sid_Builtin_Guests,
269 &token->sids, &token->num_sids);
270 if (!NT_STATUS_IS_OK(status)) {
271 return status;
272 }
273
274 return NT_STATUS_OK;
275 }
276
277 return NT_STATUS_OK;
278 }
279
280 static NTSTATUS add_local_groups(struct security_token *result,
281 bool is_guest);
282
283 NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3,
284 const struct extra_auth_info *extra,
285 struct dom_sid *sid)
286 {
287 /* USER SID */
288 if (info3->base.rid == (uint32_t)(-1)) {
289 /* this is a signal the user was fake and generated,
290 * the actual SID we want to use is stored in the extra
291 * sids */
292 if (is_null_sid(&extra->user_sid)) {
293 /* we couldn't find the user sid, bail out */
294 DEBUG(3, ("Invalid user SID\n"));
295 return NT_STATUS_UNSUCCESSFUL;
296 }
297 sid_copy(sid, &extra->user_sid);
298 } else {
299 sid_copy(sid, info3->base.domain_sid);
300 sid_append_rid(sid, info3->base.rid);
301 }
302 return NT_STATUS_OK;
303 }
304
305 NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
306 bool is_guest,
307 const struct netr_SamInfo3 *info3,
308 const struct extra_auth_info *extra,
309 struct security_token **ntok)
310 {
311 struct security_token *usrtok = NULL;
312 uint32_t session_info_flags = 0;
313 NTSTATUS status;
314 int i;
315
316 DEBUG(10, ("Create local NT token for %s\n",
317 info3->base.account_name.string));
318
319 usrtok = talloc_zero(mem_ctx, struct security_token);
320 if (!usrtok) {
321 DEBUG(0, ("talloc failed\n"));
322 return NT_STATUS_NO_MEMORY;
323 }
324
325 /* Add the user and primary group sid FIRST */
326 /* check if the user rid is the special "Domain Guests" rid.
327 * If so pick the first sid for the extra sids instead as it
328 * is a local fake account */
329 usrtok->sids = talloc_array(usrtok, struct dom_sid, 2);
330 if (!usrtok->sids) {
331 TALLOC_FREE(usrtok);
332 return NT_STATUS_NO_MEMORY;
333 }
334 usrtok->num_sids = 2;
335
336 status = get_user_sid_info3_and_extra(info3, extra, &usrtok->sids[0]);
337 if (!NT_STATUS_IS_OK(status)) {
338 TALLOC_FREE(usrtok);
339 return status;
340 }
341
342 /* GROUP SID */
343 if (info3->base.primary_gid == (uint32_t)(-1)) {
344 /* this is a signal the user was fake and generated,
345 * the actual SID we want to use is stored in the extra
346 * sids */
347 if (is_null_sid(&extra->pgid_sid)) {
348 /* we couldn't find the user sid, bail out */
349 DEBUG(3, ("Invalid group SID\n"));
350 TALLOC_FREE(usrtok);
351 return NT_STATUS_UNSUCCESSFUL;
352 }
353 sid_copy(&usrtok->sids[1], &extra->pgid_sid);
354 } else {
355 sid_copy(&usrtok->sids[1], info3->base.domain_sid);
356 sid_append_rid(&usrtok->sids[1],
357 info3->base.primary_gid);
358 }
359
360 /* Now the SIDs we got from authentication. These are the ones from
361 * the info3 struct or from the pdb_enum_group_memberships, depending
362 * on who authenticated the user.
363 * Note that we start the for loop at "1" here, we already added the
364 * first group sid as primary above. */
365
366 for (i = 0; i < info3->base.groups.count; i++) {
367 struct dom_sid tmp_sid;
368
369 sid_copy(&tmp_sid, info3->base.domain_sid);
370 sid_append_rid(&tmp_sid, info3->base.groups.rids[i].rid);
371
372 status = add_sid_to_array_unique(usrtok, &tmp_sid,
373 &usrtok->sids,
374 &usrtok->num_sids);
375 if (!NT_STATUS_IS_OK(status)) {
376 DEBUG(3, ("Failed to add SID to nt token\n"));
377 TALLOC_FREE(usrtok);
378 return status;
379 }
380 }
381
382 /* now also add extra sids if they are not the special user/group
383 * sids */
384 for (i = 0; i < info3->sidcount; i++) {
385 status = add_sid_to_array_unique(usrtok,
386 info3->sids[i].sid,
387 &usrtok->sids,
388 &usrtok->num_sids);
389 if (!NT_STATUS_IS_OK(status)) {
390 DEBUG(3, ("Failed to add SID to nt token\n"));
391 TALLOC_FREE(usrtok);
392 return status;
393 }
394 }
395
396 status = add_local_groups(usrtok, is_guest);
397 if (!NT_STATUS_IS_OK(status)) {
398 DEBUG(3, ("Failed to add local groups\n"));
399 TALLOC_FREE(usrtok);
400 return status;
401 }
402
403 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
404 if (!is_guest) {
405 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
406 }
407
408 status = finalize_local_nt_token(usrtok, session_info_flags);
409 if (!NT_STATUS_IS_OK(status)) {
410 DEBUG(3, ("Failed to finalize nt token\n"));
411 TALLOC_FREE(usrtok);
412 return status;
413 }
414
415 *ntok = usrtok;
416 return NT_STATUS_OK;
417 }
418
419 /*******************************************************************
420 Create a NT token for the user, expanding local aliases
421 *******************************************************************/
422
423 struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
424 const struct dom_sid *user_sid,
425 bool is_guest,
426 int num_groupsids,
427 const struct dom_sid *groupsids)
428 {
429 struct security_token *result = NULL;
430 int i;
431 NTSTATUS status;
432 uint32_t session_info_flags = 0;
433
434 DEBUG(10, ("Create local NT token for %s\n",
435 sid_string_dbg(user_sid)));
436
437 if (!(result = talloc_zero(mem_ctx, struct security_token))) {
438 DEBUG(0, ("talloc failed\n"));
439 return NULL;
440 }
441
442 /* Add the user and primary group sid */
443
444 status = add_sid_to_array(result, user_sid,
445 &result->sids, &result->num_sids);
446 if (!NT_STATUS_IS_OK(status)) {
447 TALLOC_FREE(result);
448 return NULL;
449 }
450
451 /* For guest, num_groupsids may be zero. */
452 if (num_groupsids) {
453 status = add_sid_to_array(result, &groupsids[0],
454 &result->sids,
455 &result->num_sids);
456 if (!NT_STATUS_IS_OK(status)) {
457 TALLOC_FREE(result);
458 return NULL;
459 }
460 }
461
462 /* Now the SIDs we got from authentication. These are the ones from
463 * the info3 struct or from the pdb_enum_group_memberships, depending
464 * on who authenticated the user.
465 * Note that we start the for loop at "1" here, we already added the
466 * first group sid as primary above. */
467
468 for (i=1; i<num_groupsids; i++) {
469 status = add_sid_to_array_unique(result, &groupsids[i],
470 &result->sids,
471 &result->num_sids);
472 if (!NT_STATUS_IS_OK(status)) {
473 TALLOC_FREE(result);
474 return NULL;
475 }
476 }
477
478 status = add_local_groups(result, is_guest);
479 if (!NT_STATUS_IS_OK(status)) {
480 TALLOC_FREE(result);
481 return NULL;
482 }
483
484 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
485 if (!is_guest) {
486 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
487 }
488
489 status = finalize_local_nt_token(result, session_info_flags);
490 if (!NT_STATUS_IS_OK(status)) {
491 TALLOC_FREE(result);
492 return NULL;
493 }
494
495 if (is_guest) {
496 /*
497 * It's ugly, but for now it's
498 * needed to add Builtin_Guests
499 * here, the "local" token only
500 * consist of S-1-22-* SIDs
501 * and finalize_local_nt_token()
502 * doesn't have the chance to
503 * to detect it need to
504 * add Builtin_Guests via
505 * add_builtin_guests().
506 */
507 status = add_sid_to_array_unique(result,
508 &global_sid_Builtin_Guests,
509 &result->sids,
510 &result->num_sids);
511 if (!NT_STATUS_IS_OK(status)) {
512 DEBUG(3, ("Failed to add SID to nt token\n"));
513 TALLOC_FREE(result);
514 return NULL;
515 }
516 }
517
518 return result;
519 }
520
521 /***************************************************
522 Merge in any groups from /etc/group.
523 ***************************************************/
524
525 static NTSTATUS add_local_groups(struct security_token *result,
526 bool is_guest)
527 {
528 gid_t *gids = NULL;
529 uint32_t getgroups_num_group_sids = 0;
530 struct passwd *pass = NULL;
531 TALLOC_CTX *tmp_ctx = talloc_stackframe();
532 int i;
533
534 if (is_guest) {
535 /*
536 * Guest is a special case. It's always
537 * a user that can be looked up, but
538 * result->sids[0] is set to DOMAIN\Guest.
539 * Lookup by account name instead.
540 */
541 pass = Get_Pwnam_alloc(tmp_ctx, lp_guest_account());
542 } else {
543 uid_t uid;
544
545 /* For non-guest result->sids[0] is always the user sid. */
546 if (!sid_to_uid(&result->sids[0], &uid)) {
547 /*
548 * Non-mappable SID like SYSTEM.
549 * Can't be in any /etc/group groups.
550 */
551 TALLOC_FREE(tmp_ctx);
552 return NT_STATUS_OK;
553 }
554
555 pass = getpwuid_alloc(tmp_ctx, uid);
556 if (pass == NULL) {
557 DEBUG(1, ("SID %s -> getpwuid(%u) failed\n",
558 sid_string_dbg(&result->sids[0]),
559 (unsigned int)uid));
560 }
561 }
562
563 if (!pass) {
564 TALLOC_FREE(tmp_ctx);
565 return NT_STATUS_UNSUCCESSFUL;
566 }
567
568 /*
569 * Now we must get any groups this user has been
570 * added to in /etc/group and merge them in.
571 * This has to be done in every code path
572 * that creates an NT token, as remote users
573 * may have been added to the local /etc/group
574 * database. Tokens created merely from the
575 * info3 structs (via the DC or via the krb5 PAC)
576 * won't have these local groups. Note the
577 * groups added here will only be UNIX groups
578 * (S-1-22-2-XXXX groups) as getgroups_unix_user()
579 * turns off winbindd before calling getgroups().
580 *
581 * NB. This is duplicating work already
582 * done in the 'unix_user:' case of
583 * create_token_from_sid() but won't
584 * do anything other than be inefficient
585 * in that case.
586 */
587
588 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
589 &gids, &getgroups_num_group_sids)) {
590 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
591 pass->pw_name));
592 TALLOC_FREE(tmp_ctx);
593 return NT_STATUS_UNSUCCESSFUL;
594 }
595
596 for (i=0; i<getgroups_num_group_sids; i++) {
597 NTSTATUS status;
598 struct dom_sid grp_sid;
599 gid_to_sid(&grp_sid, gids[i]);
600
601 status = add_sid_to_array_unique(result,
602 &grp_sid,
603 &result->sids,
604 &result->num_sids);
605 if (!NT_STATUS_IS_OK(status)) {
606 DEBUG(3, ("Failed to add UNIX SID to nt token\n"));
607 TALLOC_FREE(tmp_ctx);
608 return status;
609 }
610 }
611 TALLOC_FREE(tmp_ctx);
612 return NT_STATUS_OK;
613 }
614
615 NTSTATUS finalize_local_nt_token(struct security_token *result,
616 uint32_t session_info_flags)
617 {
618 struct dom_sid _dom_sid = { 0, };
619 struct dom_sid *domain_sid = NULL;
620 NTSTATUS status;
621 struct acct_info *info;
622 bool ok;
623
624 result->privilege_mask = 0;
625 result->rights_mask = 0;
626
627 if (result->num_sids == 0) {
628 return NT_STATUS_INVALID_TOKEN;
629 }
630
631 if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
632 status = add_sid_to_array(result, &global_sid_World,
633 &result->sids, &result->num_sids);
634 if (!NT_STATUS_IS_OK(status)) {
635 return status;
636 }
637 status = add_sid_to_array(result, &global_sid_Network,
638 &result->sids, &result->num_sids);
639 if (!NT_STATUS_IS_OK(status)) {
640 return status;
641 }
642 }
643
644 /*
645 * Don't expand nested groups of system, anonymous etc
646 *
647 * Note that they still get SID_WORLD and SID_NETWORK
648 * for now in order let existing tests pass.
649 *
650 * But SYSTEM doesn't get AUTHENTICATED_USERS
651 * and ANONYMOUS doesn't get BUILTIN GUESTS anymore.
652 */
653 if (security_token_is_anonymous(result)) {
654 return NT_STATUS_OK;
655 }
656 if (security_token_is_system(result)) {
657 result->privilege_mask = ~0;
658 return NT_STATUS_OK;
659 }
660
661 if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
662 status = add_sid_to_array(result,
663 &global_sid_Authenticated_Users,
664 &result->sids,
665 &result->num_sids);
666 if (!NT_STATUS_IS_OK(status)) {
667 return status;
668 }
669 }
670
671 /* Add in BUILTIN sids */
672
673 become_root();
674 ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
675 if (ok) {
676 domain_sid = &_dom_sid;
677 } else {
678 DEBUG(3, ("Failed to fetch domain sid for %s\n",
679 lp_workgroup()));
680 }
681 unbecome_root();
682
683 info = talloc_zero(talloc_tos(), struct acct_info);
684 if (info == NULL) {
685 DEBUG(0, ("talloc failed!\n"));
686 return NT_STATUS_NO_MEMORY;
687 }
688
689 /* Deal with the BUILTIN\Administrators group. If the SID can
690 be resolved then assume that the add_aliasmem( S-1-5-32 )
691 handled it. */
692
693 status = pdb_get_aliasinfo(&global_sid_Builtin_Administrators, info);
694 if (!NT_STATUS_IS_OK(status)) {
695
696 become_root();
697 status = create_builtin_administrators(domain_sid);
698 unbecome_root();
699
700 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
701 /* Add BUILTIN\Administrators directly to token. */
702 status = add_builtin_administrators(result, domain_sid);
703 if ( !NT_STATUS_IS_OK(status) ) {
704 DEBUG(3, ("Failed to check for local "
705 "Administrators membership (%s)\n",
706 nt_errstr(status)));
707 }
708 } else if (!NT_STATUS_IS_OK(status)) {
709 DEBUG(2, ("WARNING: Failed to create "
710 "BUILTIN\\Administrators group! Can "
711 "Winbind allocate gids?\n"));
712 }
713 }
714
715 /* Deal with the BUILTIN\Users group. If the SID can
716 be resolved then assume that the add_aliasmem( S-1-5-32 )
717 handled it. */
718
719 status = pdb_get_aliasinfo(&global_sid_Builtin_Users, info);
720 if (!NT_STATUS_IS_OK(status)) {
721
722 become_root();
723 status = create_builtin_users(domain_sid);
724 unbecome_root();
725
726 if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) &&
727 !NT_STATUS_IS_OK(status))
728 {
729 DEBUG(2, ("WARNING: Failed to create BUILTIN\\Users group! "
730 "Can Winbind allocate gids?\n"));
731 }
732 }
733
734 /*
735 * Deal with the BUILTIN\Guests group. If the SID can
736 * be resolved then assume that the add_aliasmem( S-1-5-32 )
737 * handled it.
738 */
739 status = pdb_get_aliasinfo(&global_sid_Builtin_Guests, info);
740 if (!NT_STATUS_IS_OK(status)) {
741
742 become_root();
743 status = create_builtin_guests(domain_sid);
744 unbecome_root();
745
746 /*
747 * NT_STATUS_PROTOCOL_UNREACHABLE:
748 * => winbindd is not running.
749 *
750 * NT_STATUS_ACCESS_DENIED:
751 * => no idmap config at all
752 * and wbint_AllocateGid()/winbind_allocate_gid()
753 * failed.
754 *
755 * NT_STATUS_NO_SUCH_GROUP:
756 * => no idmap config at all and
757 * "tdbsam:map builtin = no" means
758 * wbint_Sids2UnixIDs() fails.
759 */
760 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) ||
761 NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
762 NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
763 /*
764 * Add BUILTIN\Guests directly to token.
765 * But only if the token already indicates
766 * real guest access by:
767 * - local GUEST account
768 * - local GUESTS group
769 * - domain GUESTS group
770 *
771 * Even if a user was authenticated, it
772 * can be member of a guest related group.
773 */
774 status = add_builtin_guests(result, domain_sid);
775 if (!NT_STATUS_IS_OK(status)) {
776 DEBUG(3, ("Failed to check for local "
777 "Guests membership (%s)\n",
778 nt_errstr(status)));
779 /*
780 * This is a hard error.
781 */
782 return status;
783 }
784 } else if (!NT_STATUS_IS_OK(status)) {
785 DEBUG(2, ("Failed to create "
786 "BUILTIN\\Guests group %s! Can "
787 "Winbind allocate gids?\n",
788 nt_errstr(status)));
789 /*
790 * This is a hard error.
791 */
792 return status;
793 }
794 }
795
796 TALLOC_FREE(info);
797
798 /* Deal with local groups */
799
800 if (lp_winbind_nested_groups()) {
801
802 become_root();
803
804 /* Now add the aliases. First the one from our local SAM */
805
806 status = add_aliases(get_global_sam_sid(), result);
807
808 if (!NT_STATUS_IS_OK(status)) {
809 unbecome_root();
810 return status;
811 }
812
813 /* Finally the builtin ones */
814
815 status = add_aliases(&global_sid_Builtin, result);
816
817 if (!NT_STATUS_IS_OK(status)) {
818 unbecome_root();
819 return status;
820 }
821
822 unbecome_root();
823 }
824
825 if (session_info_flags & AUTH_SESSION_INFO_NTLM) {
826 struct dom_sid tmp_sid = { 0, };
827
828 ok = dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &tmp_sid);
829 if (!ok) {
830 return NT_STATUS_NO_MEMORY;
831 }
832
833 status = add_sid_to_array(result,
834 &tmp_sid,
835 &result->sids,
836 &result->num_sids);
837 if (!NT_STATUS_IS_OK(status)) {
838 return status;
839 }
840 }
841
842 if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
843 if (security_token_has_builtin_administrators(result)) {
844 result->privilege_mask = ~0;
845 }
846 } else {
847 /* Add privileges based on current user sids */
848 get_privileges_for_sids(&result->privilege_mask, result->sids,
849 result->num_sids);
850 }
851
852 return NT_STATUS_OK;
853 }
854
855 /****************************************************************************
856 prints a UNIX 'token' to debug output.
857 ****************************************************************************/
858
859 void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
860 int n_groups, gid_t *groups)
861 {
862 int i;
863 DEBUGC(dbg_class, dbg_lev,
864 ("UNIX token of user %ld\n", (long int)uid));
865
866 DEBUGADDC(dbg_class, dbg_lev,
867 ("Primary group is %ld and contains %i supplementary "
868 "groups\n", (long int)gid, n_groups));
869 for (i = 0; i < n_groups; i++)
870 DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i,
871 (long int)groups[i]));
872 }
873
874 /*
875 * Create an artificial NT token given just a domain SID.
876 *
877 * We have 3 cases:
878 *
879 * unmapped unix users: Go directly to nss to find the user's group.
880 *
881 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
882 *
883 * If the user is provided by winbind, the primary gid is set to "domain
884 * users" of the user's domain. For an explanation why this is necessary, see
885 * the thread starting at
886 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
887 */
888
889 static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
890 const struct dom_sid *user_sid,
891 bool is_guest,
892 uid_t *uid, gid_t *gid,
893 char **found_username,
894 struct security_token **token)
895 {
896 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
897 TALLOC_CTX *tmp_ctx = talloc_stackframe();
898 gid_t *gids;
899 struct dom_sid *group_sids;
900 struct dom_sid tmp_sid;
901 uint32_t num_group_sids;
902 uint32_t num_gids;
903 uint32_t i;
904 uint32_t high, low;
905 bool range_ok;
906
907 if (sid_check_is_in_our_sam(user_sid)) {
908 bool ret;
909 uint32_t pdb_num_group_sids;
910 /* This is a passdb user, so ask passdb */
911
912 struct samu *sam_acct = NULL;
913
914 if ( !(sam_acct = samu_new( tmp_ctx )) ) {
915 result = NT_STATUS_NO_MEMORY;
916 goto done;
917 }
918
919 become_root();
920 ret = pdb_getsampwsid(sam_acct, user_sid);
921 unbecome_root();
922
923 if (!ret) {
924 DEBUG(1, ("pdb_getsampwsid(%s) failed\n",
925 sid_string_dbg(user_sid)));
926 DEBUGADD(1, ("Fall back to unix user\n"));
927 goto unix_user;
928 }
929
930 result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
931 &group_sids, &gids,
932 &pdb_num_group_sids);
933 if (!NT_STATUS_IS_OK(result)) {
934 DEBUG(1, ("enum_group_memberships failed for %s: "
935 "%s\n", sid_string_dbg(user_sid),
936 nt_errstr(result)));
937 DEBUGADD(1, ("Fall back to unix uid lookup\n"));
938 goto unix_user;
939 }
940 num_group_sids = pdb_num_group_sids;
941
942 /* see the smb_panic() in pdb_default_enum_group_memberships */
943 SMB_ASSERT(num_group_sids > 0);
944
945 /* Ensure we're returning the found_username on the right context. */
946 *found_username = talloc_strdup(mem_ctx,
947 pdb_get_username(sam_acct));
948
949 if (*found_username == NULL) {
950 result = NT_STATUS_NO_MEMORY;
951 goto done;
952 }
953
954 /*
955 * If the SID from lookup_name() was the guest sid, passdb knows
956 * about the mapping of guest sid to lp_guest_account()
957 * username and will return the unix_pw info for a guest
958 * user. Use it if it's there, else lookup the *uid details
959 * using Get_Pwnam_alloc(). See bug #6291 for details. JRA.
960 */
961
962 /* We must always assign the *uid. */
963 if (sam_acct->unix_pw == NULL) {
964 struct passwd *pwd = Get_Pwnam_alloc(sam_acct, *found_username );
965 if (!pwd) {
966 DEBUG(10, ("Get_Pwnam_alloc failed for %s\n",
967 *found_username));
968 result = NT_STATUS_NO_SUCH_USER;
969 goto done;
970 }
971 result = samu_set_unix(sam_acct, pwd );
972 if (!NT_STATUS_IS_OK(result)) {
973 DEBUG(10, ("samu_set_unix failed for %s\n",
974 *found_username));
975 result = NT_STATUS_NO_SUCH_USER;
976 goto done;
977 }
978 }
979 *uid = sam_acct->unix_pw->pw_uid;
980
981 } else if (sid_check_is_in_unix_users(user_sid)) {
982 uint32_t getgroups_num_group_sids;
983 /* This is a unix user not in passdb. We need to ask nss
984 * directly, without consulting passdb */
985
986 struct passwd *pass;
987
988 /*
989 * This goto target is used as a fallback for the passdb
990 * case. The concrete bug report is when passdb gave us an
991 * unmapped gid.
992 */
993
994 unix_user:
995
996 if (!sid_to_uid(user_sid, uid)) {
997 DEBUG(1, ("unix_user case, sid_to_uid for %s failed\n",
998 sid_string_dbg(user_sid)));
999 result = NT_STATUS_NO_SUCH_USER;
1000 goto done;
1001 }
1002
1003 uid_to_unix_users_sid(*uid, &tmp_sid);
1004 user_sid = &tmp_sid;
1005
1006 pass = getpwuid_alloc(tmp_ctx, *uid);
1007 if (pass == NULL) {
1008 DEBUG(1, ("getpwuid(%u) failed\n",
1009 (unsigned int)*uid));
1010 goto done;
1011 }
1012
1013 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
1014 &gids, &getgroups_num_group_sids)) {
1015 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
1016 pass->pw_name));
1017 goto done;
1018 }
1019 num_group_sids = getgroups_num_group_sids;
1020
1021 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids);
1022 if (group_sids == NULL) {
1023 DEBUG(1, ("talloc_array failed\n"));
1024 result = NT_STATUS_NO_MEMORY;
1025 goto done;
1026 }
1027
1028 for (i=0; i<num_group_sids; i++) {
1029 gid_to_sid(&group_sids[i], gids[i]);
1030 }
1031
1032 /* In getgroups_unix_user we always set the primary gid */
1033 SMB_ASSERT(num_group_sids > 0);
1034
1035 /* Ensure we're returning the found_username on the right context. */
1036 *found_username = talloc_strdup(mem_ctx, pass->pw_name);
1037 if (*found_username == NULL) {
1038 result = NT_STATUS_NO_MEMORY;
1039 goto done;
1040 }
1041 } else {
1042
1043 /* This user is from winbind, force the primary gid to the
1044 * user's "domain users" group. Under certain circumstances
1045 * (user comes from NT4), this might be a loss of
1046 * information. But we can not rely on winbind getting the
1047 * correct info. AD might prohibit winbind looking up that
1048 * information. */
1049
1050 /* We must always assign the *uid. */
1051 if (!sid_to_uid(user_sid, uid)) {
1052 DEBUG(1, ("winbindd case, sid_to_uid for %s failed\n",
1053 sid_string_dbg(user_sid)));
1054 result = NT_STATUS_NO_SUCH_USER;
1055 goto done;
1056 }
1057
1058 num_group_sids = 1;
1059 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids);
1060 if (group_sids == NULL) {
1061 DEBUG(1, ("talloc_array failed\n"));
1062 result = NT_STATUS_NO_MEMORY;
1063 goto done;
1064 }
1065
1066 gids = talloc_array(tmp_ctx, gid_t, num_group_sids);
1067 if (gids == NULL) {
1068 result = NT_STATUS_NO_MEMORY;
1069 goto done;
1070 }
1071
1072 sid_copy(&group_sids[0], user_sid);
1073 sid_split_rid(&group_sids[0], NULL);
1074 sid_append_rid(&group_sids[0], DOMAIN_RID_USERS);
1075
1076 if (!sid_to_gid(&group_sids[0], &gids[0])) {
1077 DEBUG(1, ("sid_to_gid(%s) failed\n",
1078 sid_string_dbg(&group_sids[0])));
1079 goto done;
1080 }
1081
1082 *found_username = NULL;
1083 }
1084
1085 *gid = gids[0];
1086
1087 /* Add the "Unix Group" SID for each gid to catch mapped groups
1088 and their Unix equivalent. This is to solve the backwards
1089 compatibility problem of 'valid users = +ntadmin' where
1090 ntadmin has been paired with "Domain Admins" in the group
1091 mapping table. Otherwise smb.conf would need to be changed
1092 to 'valid user = "Domain Admins"'. --jerry */
1093
1094 num_gids = num_group_sids;
1095 range_ok = lp_idmap_default_range(&low, &high);
1096 for ( i=0; i<num_gids; i++ ) {
1097 struct dom_sid unix_group_sid;
1098
1099 /* don't pickup anything managed by Winbind */
1100 if (range_ok && (gids[i] >= low) && (gids[i] <= high)) {
1101 continue;
1102 }
1103
1104 gid_to_unix_groups_sid(gids[i], &unix_group_sid);
1105
1106 result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
1107 &group_sids, &num_group_sids);
1108 if (!NT_STATUS_IS_OK(result)) {
1109 goto done;
1110 }
1111 }
1112
1113 /* Ensure we're creating the nt_token on the right context. */
1114 *token = create_local_nt_token(mem_ctx, user_sid,
1115 is_guest, num_group_sids, group_sids);
1116
1117 if (*token == NULL) {
1118 result = NT_STATUS_NO_MEMORY;
1119 goto done;
1120 }
1121
1122 result = NT_STATUS_OK;
1123 done:
1124 TALLOC_FREE(tmp_ctx);
1125 return result;
1126 }
1127
1128 /*
1129 * Create an artificial NT token given just a username. (Initially intended
1130 * for force user)
1131 *
1132 * We go through lookup_name() to avoid problems we had with 'winbind use
1133 * default domain'.
1134 *
1135 * We have 3 cases:
1136 *
1137 * unmapped unix users: Go directly to nss to find the user's group.
1138 *
1139 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
1140 *
1141 * If the user is provided by winbind, the primary gid is set to "domain
1142 * users" of the user's domain. For an explanation why this is necessary, see
1143 * the thread starting at
1144 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
1145 */
1146
1147 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
1148 bool is_guest,
1149 uid_t *uid, gid_t *gid,
1150 char **found_username,
1151 struct security_token **token)
1152 {
1153 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
1154 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1155 struct dom_sid user_sid;
1156 enum lsa_SidType type;
1157
1158 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
1159 NULL, NULL, &user_sid, &type)) {
1160 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
1161 goto done;
1162 }
1163
1164 if (type != SID_NAME_USER) {
1165 DEBUG(1, ("%s is a %s, not a user\n", username,
1166 sid_type_lookup(type)));
1167 goto done;
1168 }
1169
1170 result = create_token_from_sid(mem_ctx, &user_sid, is_guest, uid, gid, found_username, token);
1171
1172 if (!NT_STATUS_IS_OK(result)) {
1173 goto done;
1174 }
1175
1176 /*
1177 * If result == NT_STATUS_OK then
1178 * we know we have a valid token. Ensure
1179 * we also have a valid username to match.
1180 */
1181
1182 if (*found_username == NULL) {
1183 *found_username = talloc_strdup(mem_ctx, username);
1184 if (*found_username == NULL) {
1185 result = NT_STATUS_NO_MEMORY;
1186 }
1187 }
1188
1189 done:
1190 TALLOC_FREE(tmp_ctx);
1191 return result;
1192 }
1193
1194 /***************************************************************************
1195 Build upon create_token_from_sid:
1196
1197 Expensive helper function to figure out whether a user given its sid is
1198 member of a particular group.
1199 ***************************************************************************/
1200
1201 bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid)
1202 {
1203 NTSTATUS status;
1204 uid_t uid;
1205 gid_t gid;
1206 char *found_username;
1207 struct security_token *token;
1208 bool result = false;
1209 enum lsa_SidType type;
1210 TALLOC_CTX *mem_ctx = talloc_stackframe();
1211
1212 if (!lookup_sid(mem_ctx, sid,
1213 NULL, NULL, &type)) {
1214 DEBUG(1, ("lookup_sid for %s failed\n", dom_sid_string(mem_ctx, sid)));
1215 goto done;
1216 }
1217
1218 if (type != SID_NAME_USER) {
1219 DEBUG(5, ("%s is a %s, not a user\n", dom_sid_string(mem_ctx, sid),
1220 sid_type_lookup(type)));
1221 goto done;
1222 }
1223
1224 status = create_token_from_sid(mem_ctx, sid, False,
1225 &uid, &gid, &found_username,
1226 &token);
1227
1228 if (!NT_STATUS_IS_OK(status)) {
1229 DEBUG(10, ("could not create token for %s\n", dom_sid_string(mem_ctx, sid)));
1230 goto done;
1231 }
1232
1233 result = security_token_has_sid(token, group_sid);
1234
1235 done:
1236 TALLOC_FREE(mem_ctx);
1237 return result;
1238 }
1239
1240 /***************************************************************************
1241 Build upon create_token_from_username:
1242
1243 Expensive helper function to figure out whether a user given its name is
1244 member of a particular group.
1245 ***************************************************************************/
1246
1247 bool user_in_group_sid(const char *username, const struct dom_sid *group_sid)
1248 {
1249 NTSTATUS status;
1250 uid_t uid;
1251 gid_t gid;
1252 char *found_username;
1253 struct security_token *token;
1254 bool result;
1255 TALLOC_CTX *mem_ctx = talloc_stackframe();
1256
1257 status = create_token_from_username(mem_ctx, username, False,
1258 &uid, &gid, &found_username,
1259 &token);
1260
1261 if (!NT_STATUS_IS_OK(status)) {
1262 DEBUG(10, ("could not create token for %s\n", username));
1263 TALLOC_FREE(mem_ctx);
1264 return False;
1265 }
1266
1267 result = security_token_has_sid(token, group_sid);
1268
1269 TALLOC_FREE(mem_ctx);
1270 return result;
1271 }
1272
1273 bool user_in_group(const char *username, const char *groupname)
1274 {
1275 TALLOC_CTX *mem_ctx = talloc_stackframe();
1276 struct dom_sid group_sid;
1277 bool ret;
1278
1279 ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL,
1280 NULL, NULL, &group_sid, NULL);
1281 TALLOC_FREE(mem_ctx);
1282
1283 if (!ret) {
1284 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
1285 return False;
1286 }
1287
1288 return user_in_group_sid(username, &group_sid);
1289 }
1290
1291 /* END */
Samba GIT mirror