search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
net_idmap: use wbcSet[U|G]idMapping() and wbcSet[U|G]idHwm() functions
[Samba.git] / source / winbindd / winbindd_passdb.c
blob7c1d7bd71b16318b37313cb2df28dcd381cb997b
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind rpc backend functions
5
6 Copyright (C) Tim Potter 2000-2001,2003
7 Copyright (C) Simo Sorce 2003
8 Copyright (C) Volker Lendecke 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_WINBIND
29
30 /* Query display info for a domain. This returns enough information plus a
31 bit extra to give an overview of domain users for the User Manager
32 application. */
33 static NTSTATUS query_user_list(struct winbindd_domain *domain,
34 TALLOC_CTX *mem_ctx,
35 uint32 *num_entries,
36 WINBIND_USERINFO **info)
37 {
38 /* We don't have users */
39 *num_entries = 0;
40 *info = NULL;
41 return NT_STATUS_OK;
42 }
43
44 /* list all domain groups */
45 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
46 TALLOC_CTX *mem_ctx,
47 uint32 *num_entries,
48 struct acct_info **info)
49 {
50 /* We don't have domain groups */
51 *num_entries = 0;
52 *info = NULL;
53 return NT_STATUS_OK;
54 }
55
56 /* List all domain groups */
57
58 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
59 TALLOC_CTX *mem_ctx,
60 uint32 *num_entries,
61 struct acct_info **info)
62 {
63 struct pdb_search *search;
64 struct samr_displayentry *aliases;
65 int i;
66 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
67
68 search = pdb_search_aliases(&domain->sid);
69 if (search == NULL) goto done;
70
71 *num_entries = pdb_search_entries(search, 0, 0xffffffff, &aliases);
72 if (*num_entries == 0) goto done;
73
74 *info = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries);
75 if (*info == NULL) {
76 result = NT_STATUS_NO_MEMORY;
77 goto done;
78 }
79
80 for (i=0; i<*num_entries; i++) {
81 fstrcpy((*info)[i].acct_name, aliases[i].account_name);
82 fstrcpy((*info)[i].acct_desc, aliases[i].description);
83 (*info)[i].rid = aliases[i].rid;
84 }
85
86 result = NT_STATUS_OK;
87 done:
88 pdb_search_destroy(search);
89 return result;
90 }
91
92 /* convert a single name to a sid in a domain */
93 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
94 TALLOC_CTX *mem_ctx,
95 enum winbindd_cmd original_cmd,
96 const char *domain_name,
97 const char *name,
98 DOM_SID *sid,
99 enum lsa_SidType *type)
100 {
101 uint32 flags = LOOKUP_NAME_ALL;
102
103 switch ( original_cmd ) {
104 case WINBINDD_LOOKUPNAME:
105 /* This call is ok */
106 break;
107 default:
108 /* Avoid any NSS calls in the lookup_name by default */
109 flags |= LOOKUP_NAME_EXPLICIT;
110 DEBUG(10,("winbindd_passdb: limiting name_to_sid() to explicit mappings\n"));
111 break;
112 }
113
114 DEBUG(10, ("Finding name %s\n", name));
115
116 if ( !lookup_name( mem_ctx, name, flags, NULL, NULL, sid, type ) ) {
117 return NT_STATUS_NONE_MAPPED;
118 }
119
120 return NT_STATUS_OK;
121 }
122
123 /*
124 convert a domain SID to a user or group name
125 */
126 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
127 TALLOC_CTX *mem_ctx,
128 const DOM_SID *sid,
129 char **domain_name,
130 char **name,
131 enum lsa_SidType *type)
132 {
133 const char *dom, *nam;
134
135 DEBUG(10, ("Converting SID %s\n", sid_string_dbg(sid)));
136
137 /* Paranoia check */
138 if (!sid_check_is_in_builtin(sid) &&
139 !sid_check_is_in_our_domain(sid) &&
140 !sid_check_is_in_unix_users(sid) &&
141 !sid_check_is_unix_users(sid) &&
142 !sid_check_is_in_unix_groups(sid) &&
143 !sid_check_is_unix_groups(sid) &&
144 !sid_check_is_in_wellknown_domain(sid))
145 {
146 DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with "
147 "passdb backend\n", sid_string_dbg(sid)));
148 return NT_STATUS_NONE_MAPPED;
149 }
150
151 if (!lookup_sid(mem_ctx, sid, &dom, &nam, type)) {
152 return NT_STATUS_NONE_MAPPED;
153 }
154
155 *domain_name = talloc_strdup(mem_ctx, dom);
156 *name = talloc_strdup(mem_ctx, nam);
157
158 return NT_STATUS_OK;
159 }
160
161 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
162 TALLOC_CTX *mem_ctx,
163 const DOM_SID *sid,
164 uint32 *rids,
165 size_t num_rids,
166 char **domain_name,
167 char ***names,
168 enum lsa_SidType **types)
169 {
170 return NT_STATUS_UNSUCCESSFUL;
171 }
172
173 /* Lookup user information from a rid or username. */
174 static NTSTATUS query_user(struct winbindd_domain *domain,
175 TALLOC_CTX *mem_ctx,
176 const DOM_SID *user_sid,
177 WINBIND_USERINFO *user_info)
178 {
179 return NT_STATUS_NO_SUCH_USER;
180 }
181
182 /* Lookup groups a user is a member of. I wish Unix had a call like this! */
183 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
184 TALLOC_CTX *mem_ctx,
185 const DOM_SID *user_sid,
186 uint32 *num_groups, DOM_SID **user_gids)
187 {
188 NTSTATUS result;
189 DOM_SID *groups = NULL;
190 gid_t *gids = NULL;
191 size_t ngroups = 0;
192 struct samu *user;
193
194 if ( (user = samu_new(mem_ctx)) == NULL ) {
195 return NT_STATUS_NO_MEMORY;
196 }
197
198 if ( !pdb_getsampwsid( user, user_sid ) ) {
199 return NT_STATUS_NO_SUCH_USER;
200 }
201
202 result = pdb_enum_group_memberships( mem_ctx, user, &groups, &gids, &ngroups );
203
204 TALLOC_FREE( user );
205
206 *num_groups = (uint32)ngroups;
207 *user_gids = groups;
208
209 return result;
210 }
211
212 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
213 TALLOC_CTX *mem_ctx,
214 uint32 num_sids, const DOM_SID *sids,
215 uint32 *p_num_aliases, uint32 **rids)
216 {
217 NTSTATUS result;
218 size_t num_aliases = 0;
219
220 result = pdb_enum_alias_memberships(mem_ctx, &domain->sid,
221 sids, num_sids, rids, &num_aliases);
222
223 *p_num_aliases = num_aliases;
224 return result;
225 }
226
227 /* Lookup group membership given a rid. */
228 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
229 TALLOC_CTX *mem_ctx,
230 const DOM_SID *group_sid, uint32 *num_names,
231 DOM_SID **sid_mem, char ***names,
232 uint32 **name_types)
233 {
234 size_t i, num_members, num_mapped;
235 uint32 *rids;
236 NTSTATUS result;
237 const DOM_SID **sids;
238 struct lsa_dom_info *lsa_domains;
239 struct lsa_name_info *lsa_names;
240 TALLOC_CTX *tmp_ctx;
241
242 if (!sid_check_is_in_our_domain(group_sid)) {
243 /* There's no groups, only aliases in BUILTIN */
244 return NT_STATUS_NO_SUCH_GROUP;
245 }
246
247 if (!(tmp_ctx = talloc_init("lookup_groupmem"))) {
248 return NT_STATUS_NO_MEMORY;
249 }
250
251 result = pdb_enum_group_members(tmp_ctx, group_sid, &rids,
252 &num_members);
253 if (!NT_STATUS_IS_OK(result)) {
254 TALLOC_FREE(tmp_ctx);
255 return result;
256 }
257
258 if (num_members == 0) {
259 *num_names = 0;
260 *sid_mem = NULL;
261 *names = NULL;
262 *name_types = NULL;
263 TALLOC_FREE(tmp_ctx);
264 return NT_STATUS_OK;
265 }
266
267 *sid_mem = TALLOC_ARRAY(mem_ctx, DOM_SID, num_members);
268 *names = TALLOC_ARRAY(mem_ctx, char *, num_members);
269 *name_types = TALLOC_ARRAY(mem_ctx, uint32, num_members);
270 sids = TALLOC_ARRAY(tmp_ctx, const DOM_SID *, num_members);
271
272 if (((*sid_mem) == NULL) || ((*names) == NULL) ||
273 ((*name_types) == NULL) || (sids == NULL)) {
274 TALLOC_FREE(tmp_ctx);
275 return NT_STATUS_NO_MEMORY;
276 }
277
278 /*
279 * Prepare an array of sid pointers for the lookup_sids calling
280 * convention.
281 */
282
283 for (i=0; i<num_members; i++) {
284 DOM_SID *sid = &((*sid_mem)[i]);
285 if (!sid_compose(sid, &domain->sid, rids[i])) {
286 TALLOC_FREE(tmp_ctx);
287 return NT_STATUS_INTERNAL_ERROR;
288 }
289 sids[i] = sid;
290 }
291
292 result = lookup_sids(tmp_ctx, num_members, sids, 1,
293 &lsa_domains, &lsa_names);
294 if (!NT_STATUS_IS_OK(result)) {
295 TALLOC_FREE(tmp_ctx);
296 return result;
297 }
298
299 num_mapped = 0;
300 for (i=0; i<num_members; i++) {
301 if (lsa_names[i].type != SID_NAME_USER) {
302 DEBUG(2, ("Got %s as group member -- ignoring\n",
303 sid_type_lookup(lsa_names[i].type)));
304 continue;
305 }
306 if (!((*names)[i] = talloc_strdup((*names),
307 lsa_names[i].name))) {
308 TALLOC_FREE(tmp_ctx);
309 return NT_STATUS_NO_MEMORY;
310 }
311
312 (*name_types)[i] = lsa_names[i].type;
313
314 num_mapped += 1;
315 }
316
317 *num_names = num_mapped;
318
319 TALLOC_FREE(tmp_ctx);
320 return NT_STATUS_OK;
321 }
322
323 /* find the sequence number for a domain */
324 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
325 {
326 bool result;
327 time_t seq_num;
328
329 result = pdb_get_seq_num(&seq_num);
330 if (!result) {
331 *seq = 1;
332 }
333
334 *seq = (int) seq_num;
335 /* *seq = 1; */
336 return NT_STATUS_OK;
337 }
338
339 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
340 TALLOC_CTX *mem_ctx,
341 struct samr_DomInfo12 *policy)
342 {
343 /* actually we have that */
344 return NT_STATUS_NOT_IMPLEMENTED;
345 }
346
347 static NTSTATUS password_policy(struct winbindd_domain *domain,
348 TALLOC_CTX *mem_ctx,
349 struct samr_DomInfo1 *policy)
350 {
351 uint32 min_pass_len,pass_hist,password_properties;
352 time_t u_expire, u_min_age;
353 NTTIME nt_expire, nt_min_age;
354 uint32 account_policy_temp;
355
356 if ((policy = TALLOC_ZERO_P(mem_ctx, struct samr_DomInfo1)) == NULL) {
357 return NT_STATUS_NO_MEMORY;
358 }
359
360 if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) {
361 return NT_STATUS_ACCESS_DENIED;
362 }
363 min_pass_len = account_policy_temp;
364
365 if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) {
366 return NT_STATUS_ACCESS_DENIED;
367 }
368 pass_hist = account_policy_temp;
369
370 if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) {
371 return NT_STATUS_ACCESS_DENIED;
372 }
373 password_properties = account_policy_temp;
374
375 if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) {
376 return NT_STATUS_ACCESS_DENIED;
377 }
378 u_expire = account_policy_temp;
379
380 if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) {
381 return NT_STATUS_ACCESS_DENIED;
382 }
383 u_min_age = account_policy_temp;
384
385 unix_to_nt_time_abs(&nt_expire, u_expire);
386 unix_to_nt_time_abs(&nt_min_age, u_min_age);
387
388 init_samr_DomInfo1(policy,
389 (uint16)min_pass_len,
390 (uint16)pass_hist,
391 password_properties,
392 nt_expire,
393 nt_min_age);
394
395 return NT_STATUS_OK;
396 }
397
398 /* get a list of trusted domains */
399 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
400 TALLOC_CTX *mem_ctx,
401 uint32 *num_domains,
402 char ***names,
403 char ***alt_names,
404 DOM_SID **dom_sids)
405 {
406 NTSTATUS nt_status;
407 struct trustdom_info **domains;
408 int i;
409 TALLOC_CTX *tmp_ctx;
410
411 *num_domains = 0;
412 *names = NULL;
413 *alt_names = NULL;
414 *dom_sids = NULL;
415
416 if (!(tmp_ctx = talloc_init("trusted_domains"))) {
417 return NT_STATUS_NO_MEMORY;
418 }
419
420 nt_status = pdb_enum_trusteddoms(tmp_ctx, num_domains, &domains);
421 if (!NT_STATUS_IS_OK(nt_status)) {
422 TALLOC_FREE(tmp_ctx);
423 return nt_status;
424 }
425
426 if (*num_domains) {
427 *names = TALLOC_ARRAY(mem_ctx, char *, *num_domains);
428 *alt_names = TALLOC_ARRAY(mem_ctx, char *, *num_domains);
429 *dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_domains);
430
431 if ((*alt_names == NULL) || (*names == NULL) || (*dom_sids == NULL)) {
432 TALLOC_FREE(tmp_ctx);
433 return NT_STATUS_NO_MEMORY;
434 }
435 } else {
436 *names = NULL;
437 *alt_names = NULL;
438 *dom_sids = NULL;
439 }
440
441 for (i=0; i<*num_domains; i++) {
442 (*alt_names)[i] = NULL;
443 if (!((*names)[i] = talloc_strdup((*names),
444 domains[i]->name))) {
445 TALLOC_FREE(tmp_ctx);
446 return NT_STATUS_NO_MEMORY;
447 }
448 sid_copy(&(*dom_sids)[i], &domains[i]->sid);
449 }
450
451 TALLOC_FREE(tmp_ctx);
452 return NT_STATUS_OK;
453 }
454
455 /* the rpc backend methods are exposed via this structure */
456 struct winbindd_methods passdb_methods = {
457 False,
458 query_user_list,
459 enum_dom_groups,
460 enum_local_groups,
461 name_to_sid,
462 sid_to_name,
463 rids_to_names,
464 query_user,
465 lookup_usergroups,
466 lookup_useraliases,
467 lookup_groupmem,
468 sequence_number,
469 lockout_policy,
470 password_policy,
471 trusted_domains,
472 };
Samba GIT mirror