search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine...
[Samba.git] / source3 / auth / token_util.c
blob023ad7cbb028a026666c52eba148f0d2f5c34565
1 /*
2 * Unix SMB/CIFS implementation.
3 * Authentication utility functions
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Andrew Bartlett 2001
6 * Copyright (C) Jeremy Allison 2000-2001
7 * Copyright (C) Rafal Szczesniak 2002
8 * Copyright (C) Volker Lendecke 2006
9 * Copyright (C) Michael Adam 2007
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 */
24
25 /* functions moved from auth/auth_util.c to minimize linker deps */
26
27 #include "includes.h"
28 #include "lib/util_unixsids.h"
29 #include "system/passwd.h"
30 #include "auth.h"
31 #include "secrets.h"
32 #include "../lib/util/memcache.h"
33 #include "../librpc/gen_ndr/netlogon.h"
34 #include "../libcli/security/security.h"
35 #include "../lib/util/util_pw.h"
36 #include "passdb.h"
37 #include "lib/privileges.h"
38
39 /****************************************************************************
40 Check for a SID in an struct security_token
41 ****************************************************************************/
42
43 bool nt_token_check_sid ( const struct dom_sid *sid, const struct security_token *token )
44 {
45 if ( !sid || !token )
46 return False;
47
48 return security_token_has_sid(token, sid);
49 }
50
51 bool nt_token_check_domain_rid( struct security_token *token, uint32_t rid )
52 {
53 struct dom_sid domain_sid;
54
55 /* if we are a domain member, the get the domain SID, else for
56 a DC or standalone server, use our own SID */
57
58 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
59 if ( !secrets_fetch_domain_sid( lp_workgroup(),
60 &domain_sid ) ) {
61 DEBUG(1,("nt_token_check_domain_rid: Cannot lookup "
62 "SID for domain [%s]\n", lp_workgroup()));
63 return False;
64 }
65 }
66 else
67 sid_copy( &domain_sid, get_global_sam_sid() );
68
69 sid_append_rid( &domain_sid, rid );
70
71 return nt_token_check_sid( &domain_sid, token );\
72 }
73
74 /******************************************************************************
75 Create a token for the root user to be used internally by smbd.
76 This is similar to running under the context of the LOCAL_SYSTEM account
77 in Windows. This is a read-only token. Do not modify it or free() it.
78 Create a copy if you need to change it.
79 ******************************************************************************/
80
81 NTSTATUS get_root_nt_token( struct security_token **token )
82 {
83 struct security_token *for_cache;
84 struct dom_sid u_sid, g_sid;
85 struct passwd *pw;
86 void *cache_data;
87 NTSTATUS status = NT_STATUS_OK;
88
89 cache_data = memcache_lookup_talloc(
90 NULL, SINGLETON_CACHE_TALLOC,
91 data_blob_string_const_null("root_nt_token"));
92
93 if (cache_data != NULL) {
94 *token = talloc_get_type_abort(
95 cache_data, struct security_token);
96 return NT_STATUS_OK;
97 }
98
99 if ( !(pw = getpwuid(0)) ) {
100 if ( !(pw = getpwnam("root")) ) {
101 DBG_ERR("get_root_nt_token: both getpwuid(0) "
102 "and getpwnam(\"root\") failed!\n");
103 return NT_STATUS_NO_SUCH_USER;
104 }
105 }
106
107 /* get the user and primary group SIDs; although the
108 BUILTIN\Administrators SId is really the one that matters here */
109
110 uid_to_sid(&u_sid, pw->pw_uid);
111 gid_to_sid(&g_sid, pw->pw_gid);
112
113 status = create_local_nt_token(talloc_tos(), &u_sid, False,
114 1, &global_sid_Builtin_Administrators, token);
115 if (!NT_STATUS_IS_OK(status)) {
116 return status;
117 }
118
119 security_token_set_privilege(*token, SEC_PRIV_DISK_OPERATOR);
120
121 for_cache = *token;
122
123 memcache_add_talloc(
124 NULL, SINGLETON_CACHE_TALLOC,
125 data_blob_string_const_null("root_nt_token"), &for_cache);
126
127 return status;
128 }
129
130
131 /*
132 * Add alias SIDs from memberships within the partially created token SID list
133 */
134
135 NTSTATUS add_aliases(const struct dom_sid *domain_sid,
136 struct security_token *token)
137 {
138 uint32_t *aliases;
139 size_t i, num_aliases;
140 NTSTATUS status;
141 TALLOC_CTX *tmp_ctx;
142
143 if (!(tmp_ctx = talloc_init("add_aliases"))) {
144 return NT_STATUS_NO_MEMORY;
145 }
146
147 aliases = NULL;
148 num_aliases = 0;
149
150 status = pdb_enum_alias_memberships(tmp_ctx, domain_sid,
151 token->sids,
152 token->num_sids,
153 &aliases, &num_aliases);
154
155 if (!NT_STATUS_IS_OK(status)) {
156 DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n",
157 nt_errstr(status)));
158 goto done;
159 }
160
161 for (i=0; i<num_aliases; i++) {
162 struct dom_sid alias_sid;
163 sid_compose(&alias_sid, domain_sid, aliases[i]);
164 status = add_sid_to_array_unique(token, &alias_sid,
165 &token->sids,
166 &token->num_sids);
167 if (!NT_STATUS_IS_OK(status)) {
168 DEBUG(0, ("add_sid_to_array failed\n"));
169 goto done;
170 }
171 }
172
173 done:
174 TALLOC_FREE(tmp_ctx);
175 return NT_STATUS_OK;
176 }
177
178 /*******************************************************************
179 *******************************************************************/
180
181 static NTSTATUS add_builtin_administrators(struct security_token *token,
182 const struct dom_sid *dom_sid)
183 {
184 struct dom_sid domadm;
185 NTSTATUS status;
186
187 /* nothing to do if we aren't in a domain */
188
189 if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) {
190 return NT_STATUS_OK;
191 }
192
193 /* Find the Domain Admins SID */
194
195 if ( IS_DC ) {
196 sid_copy( &domadm, get_global_sam_sid() );
197 } else {
198 if (dom_sid == NULL) {
199 return NT_STATUS_INVALID_PARAMETER_MIX;
200 }
201 sid_copy(&domadm, dom_sid);
202 }
203 sid_append_rid( &domadm, DOMAIN_RID_ADMINS );
204
205 /* Add Administrators if the user beloongs to Domain Admins */
206
207 if ( nt_token_check_sid( &domadm, token ) ) {
208 status = add_sid_to_array(token,
209 &global_sid_Builtin_Administrators,
210 &token->sids, &token->num_sids);
211 if (!NT_STATUS_IS_OK(status)) {
212 return status;
213 }
214 }
215
216 return NT_STATUS_OK;
217 }
218
219 static NTSTATUS add_builtin_guests(struct security_token *token,
220 const struct dom_sid *dom_sid)
221 {
222 struct dom_sid tmp_sid;
223 NTSTATUS status;
224
225 /*
226 * First check the local GUEST account.
227 */
228 sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
229
230 if (nt_token_check_sid(&tmp_sid, token)) {
231 status = add_sid_to_array_unique(token,
232 &global_sid_Builtin_Guests,
233 &token->sids, &token->num_sids);
234 if (!NT_STATUS_IS_OK(status)) {
235 return status;
236 }
237
238 return NT_STATUS_OK;
239 }
240
241 /*
242 * First check the local GUESTS group.
243 */
244 sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUESTS);
245
246 if (nt_token_check_sid(&tmp_sid, token)) {
247 status = add_sid_to_array_unique(token,
248 &global_sid_Builtin_Guests,
249 &token->sids, &token->num_sids);
250 if (!NT_STATUS_IS_OK(status)) {
251 return status;
252 }
253
254 return NT_STATUS_OK;
255 }
256
257 if (lp_server_role() != ROLE_DOMAIN_MEMBER) {
258 return NT_STATUS_OK;
259 }
260
261 if (dom_sid == NULL) {
262 return NT_STATUS_INVALID_PARAMETER_MIX;
263 }
264
265 /*
266 * First check the domain GUESTS group.
267 */
268 sid_copy(&tmp_sid, dom_sid);
269 sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS);
270
271 if (nt_token_check_sid(&tmp_sid, token)) {
272 status = add_sid_to_array_unique(token,
273 &global_sid_Builtin_Guests,
274 &token->sids, &token->num_sids);
275 if (!NT_STATUS_IS_OK(status)) {
276 return status;
277 }
278
279 return NT_STATUS_OK;
280 }
281
282 return NT_STATUS_OK;
283 }
284
285 static NTSTATUS add_local_groups(struct security_token *result,
286 bool is_guest);
287
288 NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3,
289 const struct extra_auth_info *extra,
290 struct dom_sid *sid)
291 {
292 /* USER SID */
293 if (info3->base.rid == (uint32_t)(-1)) {
294 /* this is a signal the user was fake and generated,
295 * the actual SID we want to use is stored in the extra
296 * sids */
297 if (is_null_sid(&extra->user_sid)) {
298 /* we couldn't find the user sid, bail out */
299 DEBUG(3, ("Invalid user SID\n"));
300 return NT_STATUS_UNSUCCESSFUL;
301 }
302 sid_copy(sid, &extra->user_sid);
303 } else {
304 sid_copy(sid, info3->base.domain_sid);
305 sid_append_rid(sid, info3->base.rid);
306 }
307 return NT_STATUS_OK;
308 }
309
310 static struct security_token *init_local_nt_token(TALLOC_CTX *mem_ctx)
311 {
312 /*
313 * We do not have a method to populate the claims into this
314 * buffer in the source3/ stack. When that changes, we will
315 * instead make this optional based on lp_acl_claims_evaluation()
316 */
317
318 struct security_token *result
319 = security_token_initialise(mem_ctx,
320 CLAIMS_EVALUATION_NEVER);
321
322 if (result == NULL) {
323 DBG_ERR("talloc failed for security_token\n");
324 return NULL;
325 }
326
327 return result;
328 }
329
330 NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
331 bool is_guest,
332 const struct netr_SamInfo3 *info3,
333 const struct extra_auth_info *extra,
334 struct security_token **ntok)
335 {
336 struct security_token *usrtok = NULL;
337 uint32_t session_info_flags = 0;
338 NTSTATUS status;
339 uint32_t i;
340
341 DEBUG(10, ("Create local NT token for %s\n",
342 info3->base.account_name.string));
343
344 usrtok = init_local_nt_token(mem_ctx);
345 if (!usrtok) {
346 return NT_STATUS_NO_MEMORY;
347 }
348
349 /* Add the user and primary group sid FIRST */
350 /* check if the user rid is the special "Domain Guests" rid.
351 * If so pick the first sid for the extra sids instead as it
352 * is a local fake account */
353 usrtok->sids = talloc_array(usrtok, struct dom_sid, 2);
354 if (!usrtok->sids) {
355 TALLOC_FREE(usrtok);
356 return NT_STATUS_NO_MEMORY;
357 }
358 usrtok->num_sids = 2;
359
360 status = get_user_sid_info3_and_extra(info3, extra, &usrtok->sids[0]);
361 if (!NT_STATUS_IS_OK(status)) {
362 TALLOC_FREE(usrtok);
363 return status;
364 }
365
366 /* GROUP SID */
367 if (info3->base.primary_gid == (uint32_t)(-1)) {
368 /* this is a signal the user was fake and generated,
369 * the actual SID we want to use is stored in the extra
370 * sids */
371 if (is_null_sid(&extra->pgid_sid)) {
372 /* we couldn't find the user sid, bail out */
373 DEBUG(3, ("Invalid group SID\n"));
374 TALLOC_FREE(usrtok);
375 return NT_STATUS_UNSUCCESSFUL;
376 }
377 sid_copy(&usrtok->sids[1], &extra->pgid_sid);
378 } else {
379 sid_copy(&usrtok->sids[1], info3->base.domain_sid);
380 sid_append_rid(&usrtok->sids[1],
381 info3->base.primary_gid);
382 }
383
384 /* Now the SIDs we got from authentication. These are the ones from
385 * the info3 struct or from the pdb_enum_group_memberships, depending
386 * on who authenticated the user.
387 * Note that we start the for loop at "1" here, we already added the
388 * first group sid as primary above. */
389
390 for (i = 0; i < info3->base.groups.count; i++) {
391 struct dom_sid tmp_sid;
392
393 sid_copy(&tmp_sid, info3->base.domain_sid);
394 sid_append_rid(&tmp_sid, info3->base.groups.rids[i].rid);
395
396 status = add_sid_to_array_unique(usrtok, &tmp_sid,
397 &usrtok->sids,
398 &usrtok->num_sids);
399 if (!NT_STATUS_IS_OK(status)) {
400 DEBUG(3, ("Failed to add SID to nt token\n"));
401 TALLOC_FREE(usrtok);
402 return status;
403 }
404 }
405
406 /* now also add extra sids if they are not the special user/group
407 * sids */
408 for (i = 0; i < info3->sidcount; i++) {
409 status = add_sid_to_array_unique(usrtok,
410 info3->sids[i].sid,
411 &usrtok->sids,
412 &usrtok->num_sids);
413 if (!NT_STATUS_IS_OK(status)) {
414 DEBUG(3, ("Failed to add SID to nt token\n"));
415 TALLOC_FREE(usrtok);
416 return status;
417 }
418 }
419
420 status = add_local_groups(usrtok, is_guest);
421 if (!NT_STATUS_IS_OK(status)) {
422 DEBUG(3, ("Failed to add local groups\n"));
423 TALLOC_FREE(usrtok);
424 return status;
425 }
426
427 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
428 if (!is_guest) {
429 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
430 }
431
432 status = finalize_local_nt_token(usrtok, session_info_flags);
433 if (!NT_STATUS_IS_OK(status)) {
434 DEBUG(3, ("Failed to finalize nt token\n"));
435 TALLOC_FREE(usrtok);
436 return status;
437 }
438
439 *ntok = usrtok;
440 return NT_STATUS_OK;
441 }
442
443 /*******************************************************************
444 Create a NT token for the user, expanding local aliases
445 *******************************************************************/
446
447 NTSTATUS create_local_nt_token(TALLOC_CTX *mem_ctx,
448 const struct dom_sid *user_sid,
449 bool is_guest,
450 int num_groupsids,
451 const struct dom_sid *groupsids,
452 struct security_token **token)
453 {
454 struct security_token *result = NULL;
455 int i;
456 NTSTATUS status;
457 uint32_t session_info_flags = 0;
458 struct dom_sid_buf buf;
459
460 DEBUG(10, ("Create local NT token for %s\n",
461 dom_sid_str_buf(user_sid, &buf)));
462
463 result = init_local_nt_token(mem_ctx);
464 if (result == NULL) {
465 status = NT_STATUS_NO_MEMORY;
466 goto err;
467 }
468
469 /* Add the user and primary group sid */
470
471 status = add_sid_to_array(result, user_sid,
472 &result->sids, &result->num_sids);
473 if (!NT_STATUS_IS_OK(status)) {
474 goto err;
475 }
476
477 /* For guest, num_groupsids may be zero. */
478 if (num_groupsids) {
479 status = add_sid_to_array(result, &groupsids[0],
480 &result->sids,
481 &result->num_sids);
482 if (!NT_STATUS_IS_OK(status)) {
483 goto err;
484 }
485 }
486
487 /* Now the SIDs we got from authentication. These are the ones from
488 * the info3 struct or from the pdb_enum_group_memberships, depending
489 * on who authenticated the user.
490 * Note that we start the for loop at "1" here, we already added the
491 * first group sid as primary above. */
492
493 for (i=1; i<num_groupsids; i++) {
494 status = add_sid_to_array_unique(result, &groupsids[i],
495 &result->sids,
496 &result->num_sids);
497 if (!NT_STATUS_IS_OK(status)) {
498 goto err;
499 }
500 }
501
502 status = add_local_groups(result, is_guest);
503 if (!NT_STATUS_IS_OK(status)) {
504 goto err;
505 }
506
507 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
508 if (!is_guest) {
509 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
510 }
511
512 status = finalize_local_nt_token(result, session_info_flags);
513 if (!NT_STATUS_IS_OK(status)) {
514 goto err;
515 }
516
517 if (is_guest) {
518 /*
519 * It's ugly, but for now it's
520 * needed to add Builtin_Guests
521 * here, the "local" token only
522 * consist of S-1-22-* SIDs
523 * and finalize_local_nt_token()
524 * doesn't have the chance to
525 * to detect it need to
526 * add Builtin_Guests via
527 * add_builtin_guests().
528 */
529 status = add_sid_to_array_unique(result,
530 &global_sid_Builtin_Guests,
531 &result->sids,
532 &result->num_sids);
533 if (!NT_STATUS_IS_OK(status)) {
534 DEBUG(3, ("Failed to add SID to nt token\n"));
535 goto err;
536 }
537 }
538
539 *token = result;
540 return NT_STATUS_SUCCESS;
541
542 err:
543 TALLOC_FREE(result);
544 return status;
545 }
546
547 /***************************************************
548 Merge in any groups from /etc/group.
549 ***************************************************/
550
551 static NTSTATUS add_local_groups(struct security_token *result,
552 bool is_guest)
553 {
554 gid_t *gids = NULL;
555 uint32_t getgroups_num_group_sids = 0;
556 struct passwd *pass = NULL;
557 TALLOC_CTX *tmp_ctx = talloc_stackframe();
558 uint32_t i;
559
560 if (is_guest) {
561 /*
562 * Guest is a special case. It's always
563 * a user that can be looked up, but
564 * result->sids[0] is set to DOMAIN\Guest.
565 * Lookup by account name instead.
566 */
567 pass = Get_Pwnam_alloc(tmp_ctx, lp_guest_account());
568 } else {
569 uid_t uid;
570
571 /* For non-guest result->sids[0] is always the user sid. */
572 if (!sid_to_uid(&result->sids[0], &uid)) {
573 /*
574 * Non-mappable SID like SYSTEM.
575 * Can't be in any /etc/group groups.
576 */
577 TALLOC_FREE(tmp_ctx);
578 return NT_STATUS_OK;
579 }
580
581 pass = getpwuid_alloc(tmp_ctx, uid);
582 if (pass == NULL) {
583 struct dom_sid_buf buf;
584 DBG_ERR("SID %s -> getpwuid(%u) failed, is nsswitch configured?\n",
585 dom_sid_str_buf(&result->sids[0], &buf),
586 (unsigned int)uid);
587 TALLOC_FREE(tmp_ctx);
588 return NT_STATUS_NO_SUCH_USER;
589 }
590 }
591
592 if (!pass) {
593 TALLOC_FREE(tmp_ctx);
594 return NT_STATUS_UNSUCCESSFUL;
595 }
596
597 /*
598 * Now we must get any groups this user has been
599 * added to in /etc/group and merge them in.
600 * This has to be done in every code path
601 * that creates an NT token, as remote users
602 * may have been added to the local /etc/group
603 * database. Tokens created merely from the
604 * info3 structs (via the DC or via the krb5 PAC)
605 * won't have these local groups. Note the
606 * groups added here will only be UNIX groups
607 * (S-1-22-2-XXXX groups) as getgroups_unix_user()
608 * turns off winbindd before calling getgroups().
609 *
610 * NB. This is duplicating work already
611 * done in the 'unix_user:' case of
612 * create_token_from_sid() but won't
613 * do anything other than be inefficient
614 * in that case.
615 */
616
617 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
618 &gids, &getgroups_num_group_sids)) {
619 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
620 pass->pw_name));
621 TALLOC_FREE(tmp_ctx);
622 return NT_STATUS_UNSUCCESSFUL;
623 }
624
625 for (i=0; i<getgroups_num_group_sids; i++) {
626 NTSTATUS status;
627 struct dom_sid grp_sid;
628 gid_to_sid(&grp_sid, gids[i]);
629
630 status = add_sid_to_array_unique(result,
631 &grp_sid,
632 &result->sids,
633 &result->num_sids);
634 if (!NT_STATUS_IS_OK(status)) {
635 DEBUG(3, ("Failed to add UNIX SID to nt token\n"));
636 TALLOC_FREE(tmp_ctx);
637 return status;
638 }
639 }
640 TALLOC_FREE(tmp_ctx);
641 return NT_STATUS_OK;
642 }
643
644 NTSTATUS finalize_local_nt_token(struct security_token *result,
645 uint32_t session_info_flags)
646 {
647 struct dom_sid _dom_sid = { 0, };
648 struct dom_sid *domain_sid = NULL;
649 NTSTATUS status;
650 struct acct_info *info;
651 bool ok;
652
653 result->privilege_mask = 0;
654 result->rights_mask = 0;
655
656 if (result->num_sids == 0) {
657 return NT_STATUS_INVALID_TOKEN;
658 }
659
660 if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
661 status = add_sid_to_array(result, &global_sid_World,
662 &result->sids, &result->num_sids);
663 if (!NT_STATUS_IS_OK(status)) {
664 return status;
665 }
666 status = add_sid_to_array(result, &global_sid_Network,
667 &result->sids, &result->num_sids);
668 if (!NT_STATUS_IS_OK(status)) {
669 return status;
670 }
671 }
672
673 /*
674 * Don't expand nested groups of system, anonymous etc
675 *
676 * Note that they still get SID_WORLD and SID_NETWORK
677 * for now in order let existing tests pass.
678 *
679 * But SYSTEM doesn't get AUTHENTICATED_USERS
680 * and ANONYMOUS doesn't get BUILTIN GUESTS anymore.
681 */
682 if (security_token_is_anonymous(result)) {
683 return NT_STATUS_OK;
684 }
685 if (security_token_is_system(result)) {
686 result->privilege_mask = ~0;
687 return NT_STATUS_OK;
688 }
689
690 if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
691 status = add_sid_to_array(result,
692 &global_sid_Authenticated_Users,
693 &result->sids,
694 &result->num_sids);
695 if (!NT_STATUS_IS_OK(status)) {
696 return status;
697 }
698 }
699
700 /* Add in BUILTIN sids */
701
702 become_root();
703 ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
704 if (ok) {
705 domain_sid = &_dom_sid;
706 } else {
707 DEBUG(3, ("Failed to fetch domain sid for %s\n",
708 lp_workgroup()));
709 }
710 unbecome_root();
711
712 info = talloc_zero(talloc_tos(), struct acct_info);
713 if (info == NULL) {
714 DEBUG(0, ("talloc failed!\n"));
715 return NT_STATUS_NO_MEMORY;
716 }
717
718 /* Deal with the BUILTIN\Administrators group. If the SID can
719 be resolved then assume that the add_aliasmem( S-1-5-32 )
720 handled it. */
721
722 status = pdb_get_aliasinfo(&global_sid_Builtin_Administrators, info);
723 if (!NT_STATUS_IS_OK(status)) {
724
725 become_root();
726 status = create_builtin_administrators(domain_sid);
727 unbecome_root();
728
729 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
730 /* Add BUILTIN\Administrators directly to token. */
731 status = add_builtin_administrators(result, domain_sid);
732 if ( !NT_STATUS_IS_OK(status) ) {
733 DEBUG(3, ("Failed to check for local "
734 "Administrators membership (%s)\n",
735 nt_errstr(status)));
736 }
737 } else if (!NT_STATUS_IS_OK(status)) {
738 DEBUG(2, ("WARNING: Failed to create "
739 "BUILTIN\\Administrators group! Can "
740 "Winbind allocate gids?\n"));
741 }
742 }
743
744 /* Deal with the BUILTIN\Users group. If the SID can
745 be resolved then assume that the add_aliasmem( S-1-5-32 )
746 handled it. */
747
748 status = pdb_get_aliasinfo(&global_sid_Builtin_Users, info);
749 if (!NT_STATUS_IS_OK(status)) {
750
751 become_root();
752 status = create_builtin_users(domain_sid);
753 unbecome_root();
754
755 if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) &&
756 !NT_STATUS_IS_OK(status))
757 {
758 DEBUG(2, ("WARNING: Failed to create BUILTIN\\Users group! "
759 "Can Winbind allocate gids?\n"));
760 }
761 }
762
763 /*
764 * Deal with the BUILTIN\Guests group. If the SID can
765 * be resolved then assume that the add_aliasmem( S-1-5-32 )
766 * handled it.
767 */
768 status = pdb_get_aliasinfo(&global_sid_Builtin_Guests, info);
769 if (!NT_STATUS_IS_OK(status)) {
770
771 become_root();
772 status = create_builtin_guests(domain_sid);
773 unbecome_root();
774
775 /*
776 * NT_STATUS_PROTOCOL_UNREACHABLE:
777 * => winbindd is not running.
778 *
779 * NT_STATUS_ACCESS_DENIED:
780 * => no idmap config at all
781 * and wbint_AllocateGid()/winbind_allocate_gid()
782 * failed.
783 *
784 * NT_STATUS_NO_SUCH_GROUP:
785 * => no idmap config at all and
786 * "tdbsam:map builtin = no" means
787 * wbint_Sids2UnixIDs() fails.
788 */
789 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) ||
790 NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
791 NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
792 /*
793 * Add BUILTIN\Guests directly to token.
794 * But only if the token already indicates
795 * real guest access by:
796 * - local GUEST account
797 * - local GUESTS group
798 * - domain GUESTS group
799 *
800 * Even if a user was authenticated, it
801 * can be member of a guest related group.
802 */
803 status = add_builtin_guests(result, domain_sid);
804 if (!NT_STATUS_IS_OK(status)) {
805 DEBUG(3, ("Failed to check for local "
806 "Guests membership (%s)\n",
807 nt_errstr(status)));
808 /*
809 * This is a hard error.
810 */
811 return status;
812 }
813 } else if (!NT_STATUS_IS_OK(status)) {
814 DEBUG(2, ("Failed to create "
815 "BUILTIN\\Guests group %s! Can "
816 "Winbind allocate gids?\n",
817 nt_errstr(status)));
818 /*
819 * This is a hard error.
820 */
821 return status;
822 }
823 }
824
825 TALLOC_FREE(info);
826
827 /* Deal with local groups */
828
829 if (lp_winbind_nested_groups()) {
830
831 become_root();
832
833 /* Now add the aliases. First the one from our local SAM */
834
835 status = add_aliases(get_global_sam_sid(), result);
836
837 if (!NT_STATUS_IS_OK(status)) {
838 unbecome_root();
839 return status;
840 }
841
842 /* Finally the builtin ones */
843
844 status = add_aliases(&global_sid_Builtin, result);
845
846 if (!NT_STATUS_IS_OK(status)) {
847 unbecome_root();
848 return status;
849 }
850
851 unbecome_root();
852 }
853
854 if (session_info_flags & AUTH_SESSION_INFO_NTLM) {
855 struct dom_sid tmp_sid = { 0, };
856
857 ok = dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &tmp_sid);
858 if (!ok) {
859 return NT_STATUS_NO_MEMORY;
860 }
861
862 status = add_sid_to_array(result,
863 &tmp_sid,
864 &result->sids,
865 &result->num_sids);
866 if (!NT_STATUS_IS_OK(status)) {
867 return status;
868 }
869 }
870
871 if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
872 if (security_token_has_builtin_administrators(result)) {
873 result->privilege_mask = ~0;
874 }
875 } else {
876 /* Add privileges based on current user sids */
877 get_privileges_for_sids(&result->privilege_mask, result->sids,
878 result->num_sids);
879 }
880
881 return NT_STATUS_OK;
882 }
883
884 /****************************************************************************
885 prints a UNIX 'token' to debug output.
886 ****************************************************************************/
887
888 void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
889 int n_groups, gid_t *groups)
890 {
891 TALLOC_CTX *frame = talloc_stackframe();
892 char *s = NULL;
893 int i;
894
895 s = talloc_asprintf(frame,
896 "UNIX token of user %ld\n",
897 (long int)uid);
898
899 talloc_asprintf_addbuf(
900 &s,
901 "Primary group is %ld and contains %i supplementary "
902 "groups\n",
903 (long int)gid,
904 n_groups);
905 for (i = 0; i < n_groups; i++) {
906 talloc_asprintf_addbuf(&s,
907 "Group[%3i]: %ld\n",
908 i,
909 (long int)groups[i]);
910 }
911
912 DEBUGC(dbg_class, dbg_lev, ("%s", s ? s : "(NULL)"));
913 TALLOC_FREE(frame);
914 }
915
916 /*
917 * Create an artificial NT token given just a domain SID.
918 *
919 * We have 3 cases:
920 *
921 * unmapped unix users: Go directly to nss to find the user's group.
922 *
923 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
924 *
925 * If the user is provided by winbind, the primary gid is set to "domain
926 * users" of the user's domain. For an explanation why this is necessary, see
927 * the thread starting at
928 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
929 */
930
931 static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
932 const struct dom_sid *user_sid,
933 bool is_guest,
934 uid_t *uid, gid_t *gid,
935 char **found_username,
936 struct security_token **token)
937 {
938 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
939 TALLOC_CTX *tmp_ctx = talloc_stackframe();
940 gid_t *gids;
941 struct dom_sid *group_sids;
942 struct dom_sid tmp_sid;
943 uint32_t num_group_sids;
944 uint32_t num_gids;
945 uint32_t i;
946 uint32_t high, low;
947 bool range_ok;
948 struct dom_sid_buf buf;
949
950 if (sid_check_is_in_our_sam(user_sid)) {
951 bool ret;
952 uint32_t pdb_num_group_sids;
953 /* This is a passdb user, so ask passdb */
954
955 struct samu *sam_acct = NULL;
956
957 if ( !(sam_acct = samu_new( tmp_ctx )) ) {
958 result = NT_STATUS_NO_MEMORY;
959 goto done;
960 }
961
962 become_root();
963 ret = pdb_getsampwsid(sam_acct, user_sid);
964 unbecome_root();
965
966 if (!ret) {
967 DEBUG(1, ("pdb_getsampwsid(%s) failed\n",
968 dom_sid_str_buf(user_sid, &buf)));
969 DEBUGADD(1, ("Fall back to unix user\n"));
970 goto unix_user;
971 }
972
973 result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
974 &group_sids, &gids,
975 &pdb_num_group_sids);
976 if (!NT_STATUS_IS_OK(result)) {
977 DEBUG(1, ("enum_group_memberships failed for %s: "
978 "%s\n",
979 dom_sid_str_buf(user_sid, &buf),
980 nt_errstr(result)));
981 DEBUGADD(1, ("Fall back to unix uid lookup\n"));
982 goto unix_user;
983 }
984 num_group_sids = pdb_num_group_sids;
985
986 /* see the smb_panic() in pdb_default_enum_group_memberships */
987 SMB_ASSERT(num_group_sids > 0);
988
989 /* Ensure we're returning the found_username on the right context. */
990 *found_username = talloc_strdup(mem_ctx,
991 pdb_get_username(sam_acct));
992
993 if (*found_username == NULL) {
994 result = NT_STATUS_NO_MEMORY;
995 goto done;
996 }
997
998 /*
999 * If the SID from lookup_name() was the guest sid, passdb knows
1000 * about the mapping of guest sid to lp_guest_account()
1001 * username and will return the unix_pw info for a guest
1002 * user. Use it if it's there, else lookup the *uid details
1003 * using Get_Pwnam_alloc(). See bug #6291 for details. JRA.
1004 */
1005
1006 /* We must always assign the *uid. */
1007 if (sam_acct->unix_pw == NULL) {
1008 struct passwd *pwd = Get_Pwnam_alloc(sam_acct, *found_username );
1009 if (!pwd) {
1010 DEBUG(10, ("Get_Pwnam_alloc failed for %s\n",
1011 *found_username));
1012 result = NT_STATUS_NO_SUCH_USER;
1013 goto done;
1014 }
1015 result = samu_set_unix(sam_acct, pwd );
1016 if (!NT_STATUS_IS_OK(result)) {
1017 DEBUG(10, ("samu_set_unix failed for %s\n",
1018 *found_username));
1019 result = NT_STATUS_NO_SUCH_USER;
1020 goto done;
1021 }
1022 }
1023 *uid = sam_acct->unix_pw->pw_uid;
1024
1025 } else if (sid_check_is_in_unix_users(user_sid)) {
1026 uint32_t getgroups_num_group_sids;
1027 /* This is a unix user not in passdb. We need to ask nss
1028 * directly, without consulting passdb */
1029
1030 struct passwd *pass;
1031
1032 /*
1033 * This goto target is used as a fallback for the passdb
1034 * case. The concrete bug report is when passdb gave us an
1035 * unmapped gid.
1036 */
1037
1038 unix_user:
1039
1040 if (!sid_to_uid(user_sid, uid)) {
1041 DEBUG(1, ("unix_user case, sid_to_uid for %s failed\n",
1042 dom_sid_str_buf(user_sid, &buf)));
1043 result = NT_STATUS_NO_SUCH_USER;
1044 goto done;
1045 }
1046
1047 uid_to_unix_users_sid(*uid, &tmp_sid);
1048 user_sid = &tmp_sid;
1049
1050 pass = getpwuid_alloc(tmp_ctx, *uid);
1051 if (pass == NULL) {
1052 DEBUG(1, ("getpwuid(%u) failed\n",
1053 (unsigned int)*uid));
1054 goto done;
1055 }
1056
1057 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
1058 &gids, &getgroups_num_group_sids)) {
1059 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
1060 pass->pw_name));
1061 goto done;
1062 }
1063 num_group_sids = getgroups_num_group_sids;
1064
1065 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids);
1066 if (group_sids == NULL) {
1067 DEBUG(1, ("talloc_array failed\n"));
1068 result = NT_STATUS_NO_MEMORY;
1069 goto done;
1070 }
1071
1072 for (i=0; i<num_group_sids; i++) {
1073 gid_to_sid(&group_sids[i], gids[i]);
1074 }
1075
1076 /* In getgroups_unix_user we always set the primary gid */
1077 SMB_ASSERT(num_group_sids > 0);
1078
1079 /* Ensure we're returning the found_username on the right context. */
1080 *found_username = talloc_strdup(mem_ctx, pass->pw_name);
1081 if (*found_username == NULL) {
1082 result = NT_STATUS_NO_MEMORY;
1083 goto done;
1084 }
1085 } else {
1086
1087 /* This user is from winbind, force the primary gid to the
1088 * user's "domain users" group. Under certain circumstances
1089 * (user comes from NT4), this might be a loss of
1090 * information. But we can not rely on winbind getting the
1091 * correct info. AD might prohibit winbind looking up that
1092 * information. */
1093
1094 /* We must always assign the *uid. */
1095 if (!sid_to_uid(user_sid, uid)) {
1096 DEBUG(1, ("winbindd case, sid_to_uid for %s failed\n",
1097 dom_sid_str_buf(user_sid, &buf)));
1098 result = NT_STATUS_NO_SUCH_USER;
1099 goto done;
1100 }
1101
1102 num_group_sids = 1;
1103 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids);
1104 if (group_sids == NULL) {
1105 DEBUG(1, ("talloc_array failed\n"));
1106 result = NT_STATUS_NO_MEMORY;
1107 goto done;
1108 }
1109
1110 gids = talloc_array(tmp_ctx, gid_t, num_group_sids);
1111 if (gids == NULL) {
1112 result = NT_STATUS_NO_MEMORY;
1113 goto done;
1114 }
1115
1116 sid_copy(&group_sids[0], user_sid);
1117 sid_split_rid(&group_sids[0], NULL);
1118 sid_append_rid(&group_sids[0], DOMAIN_RID_USERS);
1119
1120 if (!sid_to_gid(&group_sids[0], &gids[0])) {
1121 DEBUG(1, ("sid_to_gid(%s) failed\n",
1122 dom_sid_str_buf(&group_sids[0], &buf)));
1123 goto done;
1124 }
1125
1126 *found_username = NULL;
1127 }
1128
1129 *gid = gids[0];
1130
1131 /* Add the "Unix Group" SID for each gid to catch mapped groups
1132 and their Unix equivalent. This is to solve the backwards
1133 compatibility problem of 'valid users = +ntadmin' where
1134 ntadmin has been paired with "Domain Admins" in the group
1135 mapping table. Otherwise smb.conf would need to be changed
1136 to 'valid user = "Domain Admins"'. --jerry */
1137
1138 num_gids = num_group_sids;
1139 range_ok = lp_idmap_default_range(&low, &high);
1140 for ( i=0; i<num_gids; i++ ) {
1141 struct dom_sid unix_group_sid;
1142
1143 /* don't pickup anything managed by Winbind */
1144 if (range_ok && (gids[i] >= low) && (gids[i] <= high)) {
1145 continue;
1146 }
1147
1148 gid_to_unix_groups_sid(gids[i], &unix_group_sid);
1149
1150 result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
1151 &group_sids, &num_group_sids);
1152 if (!NT_STATUS_IS_OK(result)) {
1153 goto done;
1154 }
1155 }
1156
1157 /* Ensure we're creating the nt_token on the right context. */
1158 result = create_local_nt_token(mem_ctx, user_sid,
1159 is_guest, num_group_sids, group_sids, token);
1160
1161 if (!NT_STATUS_IS_OK(result)) {
1162 goto done;
1163 }
1164
1165 result = NT_STATUS_OK;
1166 done:
1167 TALLOC_FREE(tmp_ctx);
1168 return result;
1169 }
1170
1171 /*
1172 * Create an artificial NT token given just a username. (Initially intended
1173 * for force user)
1174 *
1175 * We go through lookup_name() to avoid problems we had with 'winbind use
1176 * default domain'.
1177 *
1178 * We have 3 cases:
1179 *
1180 * unmapped unix users: Go directly to nss to find the user's group.
1181 *
1182 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
1183 *
1184 * If the user is provided by winbind, the primary gid is set to "domain
1185 * users" of the user's domain. For an explanation why this is necessary, see
1186 * the thread starting at
1187 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
1188 */
1189
1190 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
1191 bool is_guest,
1192 uid_t *uid, gid_t *gid,
1193 char **found_username,
1194 struct security_token **token)
1195 {
1196 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
1197 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1198 struct dom_sid user_sid;
1199 enum lsa_SidType type;
1200
1201 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
1202 NULL, NULL, &user_sid, &type)) {
1203 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
1204 goto done;
1205 }
1206
1207 if (type != SID_NAME_USER) {
1208 DEBUG(1, ("%s is a %s, not a user\n", username,
1209 sid_type_lookup(type)));
1210 goto done;
1211 }
1212
1213 result = create_token_from_sid(mem_ctx, &user_sid, is_guest, uid, gid, found_username, token);
1214
1215 if (!NT_STATUS_IS_OK(result)) {
1216 goto done;
1217 }
1218
1219 /*
1220 * If result == NT_STATUS_OK then
1221 * we know we have a valid token. Ensure
1222 * we also have a valid username to match.
1223 */
1224
1225 if (*found_username == NULL) {
1226 *found_username = talloc_strdup(mem_ctx, username);
1227 if (*found_username == NULL) {
1228 result = NT_STATUS_NO_MEMORY;
1229 }
1230 }
1231
1232 done:
1233 TALLOC_FREE(tmp_ctx);
1234 return result;
1235 }
1236
1237 /***************************************************************************
1238 Build upon create_token_from_sid:
1239
1240 Expensive helper function to figure out whether a user given its sid is
1241 member of a particular group.
1242 ***************************************************************************/
1243
1244 bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid)
1245 {
1246 NTSTATUS status;
1247 uid_t uid;
1248 gid_t gid;
1249 char *found_username;
1250 struct security_token *token;
1251 bool result = false;
1252 enum lsa_SidType type;
1253 TALLOC_CTX *mem_ctx = talloc_stackframe();
1254 struct dom_sid_buf buf;
1255
1256 if (!lookup_sid(mem_ctx, sid,
1257 NULL, NULL, &type)) {
1258 DEBUG(1, ("lookup_sid for %s failed\n",
1259 dom_sid_str_buf(sid, &buf)));
1260 goto done;
1261 }
1262
1263 if (type != SID_NAME_USER) {
1264 DEBUG(5, ("%s is a %s, not a user\n",
1265 dom_sid_str_buf(sid, &buf),
1266 sid_type_lookup(type)));
1267 goto done;
1268 }
1269
1270 status = create_token_from_sid(mem_ctx, sid, False,
1271 &uid, &gid, &found_username,
1272 &token);
1273
1274 if (!NT_STATUS_IS_OK(status)) {
1275 DEBUG(10, ("could not create token for %s\n",
1276 dom_sid_str_buf(sid, &buf)));
1277 goto done;
1278 }
1279
1280 result = security_token_has_sid(token, group_sid);
1281
1282 done:
1283 TALLOC_FREE(mem_ctx);
1284 return result;
1285 }
1286
1287 /***************************************************************************
1288 Build upon create_token_from_username:
1289
1290 Expensive helper function to figure out whether a user given its name is
1291 member of a particular group.
1292 ***************************************************************************/
1293
1294 bool user_in_group_sid(const char *username, const struct dom_sid *group_sid)
1295 {
1296 NTSTATUS status;
1297 uid_t uid;
1298 gid_t gid;
1299 char *found_username;
1300 struct security_token *token;
1301 bool result;
1302 TALLOC_CTX *mem_ctx = talloc_stackframe();
1303
1304 status = create_token_from_username(mem_ctx, username, False,
1305 &uid, &gid, &found_username,
1306 &token);
1307
1308 if (!NT_STATUS_IS_OK(status)) {
1309 DEBUG(10, ("could not create token for %s\n", username));
1310 TALLOC_FREE(mem_ctx);
1311 return False;
1312 }
1313
1314 result = security_token_has_sid(token, group_sid);
1315
1316 TALLOC_FREE(mem_ctx);
1317 return result;
1318 }
1319
1320 bool user_in_group(const char *username, const char *groupname)
1321 {
1322 TALLOC_CTX *mem_ctx = talloc_stackframe();
1323 struct dom_sid group_sid;
1324 bool ret;
1325
1326 ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL,
1327 NULL, NULL, &group_sid, NULL);
1328 TALLOC_FREE(mem_ctx);
1329
1330 if (!ret) {
1331 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
1332 return False;
1333 }
1334
1335 return user_in_group_sid(username, &group_sid);
1336 }
1337
1338 /* END */
Samba GIT mirror