search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenam...
[Samba.git] / source3 / auth / token_util.c
blobaac5749a8152c06c03daceeeeffb893ce022ad57
1 /*
2 * Unix SMB/CIFS implementation.
3 * Authentication utility functions
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Andrew Bartlett 2001
6 * Copyright (C) Jeremy Allison 2000-2001
7 * Copyright (C) Rafal Szczesniak 2002
8 * Copyright (C) Volker Lendecke 2006
9 * Copyright (C) Michael Adam 2007
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 */
24
25 /* functions moved from auth/auth_util.c to minimize linker deps */
26
27 #include "includes.h"
28 #include "lib/util_unixsids.h"
29 #include "system/passwd.h"
30 #include "auth.h"
31 #include "secrets.h"
32 #include "../lib/util/memcache.h"
33 #include "../librpc/gen_ndr/netlogon.h"
34 #include "../libcli/security/security.h"
35 #include "../lib/util/util_pw.h"
36 #include "passdb.h"
37 #include "lib/privileges.h"
38
39 /****************************************************************************
40 Check for a SID in an struct security_token
41 ****************************************************************************/
42
43 bool nt_token_check_sid ( const struct dom_sid *sid, const struct security_token *token )
44 {
45 if ( !sid || !token )
46 return False;
47
48 return security_token_has_sid(token, sid);
49 }
50
51 bool nt_token_check_domain_rid( struct security_token *token, uint32_t rid )
52 {
53 struct dom_sid domain_sid;
54
55 /* if we are a domain member, the get the domain SID, else for
56 a DC or standalone server, use our own SID */
57
58 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
59 if ( !secrets_fetch_domain_sid( lp_workgroup(),
60 &domain_sid ) ) {
61 DEBUG(1,("nt_token_check_domain_rid: Cannot lookup "
62 "SID for domain [%s]\n", lp_workgroup()));
63 return False;
64 }
65 }
66 else
67 sid_copy( &domain_sid, get_global_sam_sid() );
68
69 sid_append_rid( &domain_sid, rid );
70
71 return nt_token_check_sid( &domain_sid, token );\
72 }
73
74 /******************************************************************************
75 Create a token for the root user to be used internally by smbd.
76 This is similar to running under the context of the LOCAL_SYSTEM account
77 in Windows. This is a read-only token. Do not modify it or free() it.
78 Create a copy if you need to change it.
79 ******************************************************************************/
80
81 NTSTATUS get_root_nt_token( struct security_token **token )
82 {
83 struct security_token *for_cache;
84 struct dom_sid u_sid, g_sid;
85 struct passwd *pw;
86 void *cache_data;
87 NTSTATUS status = NT_STATUS_OK;
88
89 cache_data = memcache_lookup_talloc(
90 NULL, SINGLETON_CACHE_TALLOC,
91 data_blob_string_const_null("root_nt_token"));
92
93 if (cache_data != NULL) {
94 *token = talloc_get_type_abort(
95 cache_data, struct security_token);
96 return NT_STATUS_OK;
97 }
98
99 if ( !(pw = getpwuid(0)) ) {
100 if ( !(pw = getpwnam("root")) ) {
101 DBG_ERR("get_root_nt_token: both getpwuid(0) "
102 "and getpwnam(\"root\") failed!\n");
103 return NT_STATUS_NO_SUCH_USER;
104 }
105 }
106
107 /* get the user and primary group SIDs; although the
108 BUILTIN\Administrators SId is really the one that matters here */
109
110 uid_to_sid(&u_sid, pw->pw_uid);
111 gid_to_sid(&g_sid, pw->pw_gid);
112
113 status = create_local_nt_token(talloc_tos(), &u_sid, False,
114 1, &global_sid_Builtin_Administrators, token);
115 if (!NT_STATUS_IS_OK(status)) {
116 return status;
117 }
118
119 security_token_set_privilege(*token, SEC_PRIV_DISK_OPERATOR);
120
121 for_cache = *token;
122
123 memcache_add_talloc(
124 NULL, SINGLETON_CACHE_TALLOC,
125 data_blob_string_const_null("root_nt_token"), &for_cache);
126
127 return status;
128 }
129
130
131 /*
132 * Add alias SIDs from memberships within the partially created token SID list
133 */
134
135 NTSTATUS add_aliases(const struct dom_sid *domain_sid,
136 struct security_token *token)
137 {
138 uint32_t *aliases;
139 size_t i, num_aliases;
140 NTSTATUS status;
141 TALLOC_CTX *tmp_ctx;
142
143 if (!(tmp_ctx = talloc_init("add_aliases"))) {
144 return NT_STATUS_NO_MEMORY;
145 }
146
147 aliases = NULL;
148 num_aliases = 0;
149
150 status = pdb_enum_alias_memberships(tmp_ctx, domain_sid,
151 token->sids,
152 token->num_sids,
153 &aliases, &num_aliases);
154
155 if (!NT_STATUS_IS_OK(status)) {
156 DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n",
157 nt_errstr(status)));
158 goto done;
159 }
160
161 for (i=0; i<num_aliases; i++) {
162 struct dom_sid alias_sid;
163 sid_compose(&alias_sid, domain_sid, aliases[i]);
164 status = add_sid_to_array_unique(token, &alias_sid,
165 &token->sids,
166 &token->num_sids);
167 if (!NT_STATUS_IS_OK(status)) {
168 DEBUG(0, ("add_sid_to_array failed\n"));
169 goto done;
170 }
171 }
172
173 done:
174 TALLOC_FREE(tmp_ctx);
175 return NT_STATUS_OK;
176 }
177
178 /*******************************************************************
179 *******************************************************************/
180
181 static NTSTATUS add_builtin_administrators(struct security_token *token,
182 const struct dom_sid *dom_sid)
183 {
184 struct dom_sid domadm;
185 NTSTATUS status;
186
187 /* nothing to do if we aren't in a domain */
188
189 if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) {
190 return NT_STATUS_OK;
191 }
192
193 /* Find the Domain Admins SID */
194
195 if ( IS_DC ) {
196 sid_copy( &domadm, get_global_sam_sid() );
197 } else {
198 if (dom_sid == NULL) {
199 return NT_STATUS_INVALID_PARAMETER_MIX;
200 }
201 sid_copy(&domadm, dom_sid);
202 }
203 sid_append_rid( &domadm, DOMAIN_RID_ADMINS );
204
205 /* Add Administrators if the user beloongs to Domain Admins */
206
207 if ( nt_token_check_sid( &domadm, token ) ) {
208 status = add_sid_to_array(token,
209 &global_sid_Builtin_Administrators,
210 &token->sids, &token->num_sids);
211 if (!NT_STATUS_IS_OK(status)) {
212 return status;
213 }
214 }
215
216 return NT_STATUS_OK;
217 }
218
219 static NTSTATUS add_builtin_guests(struct security_token *token,
220 const struct dom_sid *dom_sid)
221 {
222 struct dom_sid tmp_sid;
223 NTSTATUS status;
224
225 /*
226 * First check the local GUEST account.
227 */
228 sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
229
230 if (nt_token_check_sid(&tmp_sid, token)) {
231 status = add_sid_to_array_unique(token,
232 &global_sid_Builtin_Guests,
233 &token->sids, &token->num_sids);
234 if (!NT_STATUS_IS_OK(status)) {
235 return status;
236 }
237
238 return NT_STATUS_OK;
239 }
240
241 /*
242 * First check the local GUESTS group.
243 */
244 sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUESTS);
245
246 if (nt_token_check_sid(&tmp_sid, token)) {
247 status = add_sid_to_array_unique(token,
248 &global_sid_Builtin_Guests,
249 &token->sids, &token->num_sids);
250 if (!NT_STATUS_IS_OK(status)) {
251 return status;
252 }
253
254 return NT_STATUS_OK;
255 }
256
257 if (lp_server_role() != ROLE_DOMAIN_MEMBER) {
258 return NT_STATUS_OK;
259 }
260
261 if (dom_sid == NULL) {
262 return NT_STATUS_INVALID_PARAMETER_MIX;
263 }
264
265 /*
266 * First check the domain GUESTS group.
267 */
268 sid_copy(&tmp_sid, dom_sid);
269 sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS);
270
271 if (nt_token_check_sid(&tmp_sid, token)) {
272 status = add_sid_to_array_unique(token,
273 &global_sid_Builtin_Guests,
274 &token->sids, &token->num_sids);
275 if (!NT_STATUS_IS_OK(status)) {
276 return status;
277 }
278
279 return NT_STATUS_OK;
280 }
281
282 return NT_STATUS_OK;
283 }
284
285 static NTSTATUS add_local_groups(struct security_token *result,
286 bool is_guest);
287
288 NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3,
289 const struct extra_auth_info *extra,
290 struct dom_sid *sid)
291 {
292 /* USER SID */
293 if (info3->base.rid == (uint32_t)(-1)) {
294 /* this is a signal the user was fake and generated,
295 * the actual SID we want to use is stored in the extra
296 * sids */
297 if (is_null_sid(&extra->user_sid)) {
298 /* we couldn't find the user sid, bail out */
299 DEBUG(3, ("Invalid user SID\n"));
300 return NT_STATUS_UNSUCCESSFUL;
301 }
302 sid_copy(sid, &extra->user_sid);
303 } else {
304 sid_copy(sid, info3->base.domain_sid);
305 sid_append_rid(sid, info3->base.rid);
306 }
307 return NT_STATUS_OK;
308 }
309
310 static struct security_token *init_local_nt_token(TALLOC_CTX *mem_ctx)
311 {
312 /*
313 * We do not have a method to populate the claims into this
314 * buffer in the source3/ stack. When that changes, we will
315 * instead this optional based on lp_acl_claims_evaluation()
316 */
317
318 struct security_token *result
319 = security_token_initialise(mem_ctx,
320 CLAIMS_EVALUATION_NEVER);
321
322 if (result == NULL) {
323 DBG_ERR("talloc failed for security_token\n");
324 return NULL;
325 }
326
327 return result;
328 }
329
330 NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
331 bool is_guest,
332 const struct netr_SamInfo3 *info3,
333 const struct extra_auth_info *extra,
334 struct security_token **ntok)
335 {
336 struct security_token *usrtok = NULL;
337 uint32_t session_info_flags = 0;
338 NTSTATUS status;
339 uint32_t i;
340
341 DEBUG(10, ("Create local NT token for %s\n",
342 info3->base.account_name.string));
343
344 usrtok = init_local_nt_token(mem_ctx);
345 if (!usrtok) {
346 return NT_STATUS_NO_MEMORY;
347 }
348
349 /* Add the user and primary group sid FIRST */
350 /* check if the user rid is the special "Domain Guests" rid.
351 * If so pick the first sid for the extra sids instead as it
352 * is a local fake account */
353 usrtok->sids = talloc_array(usrtok, struct dom_sid, 2);
354 if (!usrtok->sids) {
355 TALLOC_FREE(usrtok);
356 return NT_STATUS_NO_MEMORY;
357 }
358 usrtok->num_sids = 2;
359
360 status = get_user_sid_info3_and_extra(info3, extra, &usrtok->sids[0]);
361 if (!NT_STATUS_IS_OK(status)) {
362 TALLOC_FREE(usrtok);
363 return status;
364 }
365
366 /* GROUP SID */
367 if (info3->base.primary_gid == (uint32_t)(-1)) {
368 /* this is a signal the user was fake and generated,
369 * the actual SID we want to use is stored in the extra
370 * sids */
371 if (is_null_sid(&extra->pgid_sid)) {
372 /* we couldn't find the user sid, bail out */
373 DEBUG(3, ("Invalid group SID\n"));
374 TALLOC_FREE(usrtok);
375 return NT_STATUS_UNSUCCESSFUL;
376 }
377 sid_copy(&usrtok->sids[1], &extra->pgid_sid);
378 } else {
379 sid_copy(&usrtok->sids[1], info3->base.domain_sid);
380 sid_append_rid(&usrtok->sids[1],
381 info3->base.primary_gid);
382 }
383
384 /* Now the SIDs we got from authentication. These are the ones from
385 * the info3 struct or from the pdb_enum_group_memberships, depending
386 * on who authenticated the user.
387 * Note that we start the for loop at "1" here, we already added the
388 * first group sid as primary above. */
389
390 for (i = 0; i < info3->base.groups.count; i++) {
391 struct dom_sid tmp_sid;
392
393 sid_copy(&tmp_sid, info3->base.domain_sid);
394 sid_append_rid(&tmp_sid, info3->base.groups.rids[i].rid);
395
396 status = add_sid_to_array_unique(usrtok, &tmp_sid,
397 &usrtok->sids,
398 &usrtok->num_sids);
399 if (!NT_STATUS_IS_OK(status)) {
400 DEBUG(3, ("Failed to add SID to nt token\n"));
401 TALLOC_FREE(usrtok);
402 return status;
403 }
404 }
405
406 /* now also add extra sids if they are not the special user/group
407 * sids */
408 for (i = 0; i < info3->sidcount; i++) {
409 status = add_sid_to_array_unique(usrtok,
410 info3->sids[i].sid,
411 &usrtok->sids,
412 &usrtok->num_sids);
413 if (!NT_STATUS_IS_OK(status)) {
414 DEBUG(3, ("Failed to add SID to nt token\n"));
415 TALLOC_FREE(usrtok);
416 return status;
417 }
418 }
419
420 status = add_local_groups(usrtok, is_guest);
421 if (!NT_STATUS_IS_OK(status)) {
422 DEBUG(3, ("Failed to add local groups\n"));
423 TALLOC_FREE(usrtok);
424 return status;
425 }
426
427 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
428 if (!is_guest) {
429 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
430 }
431
432 status = finalize_local_nt_token(usrtok, session_info_flags);
433 if (!NT_STATUS_IS_OK(status)) {
434 DEBUG(3, ("Failed to finalize nt token\n"));
435 TALLOC_FREE(usrtok);
436 return status;
437 }
438
439 *ntok = usrtok;
440 return NT_STATUS_OK;
441 }
442
443 /*******************************************************************
444 Create a NT token for the user, expanding local aliases
445 *******************************************************************/
446
447 NTSTATUS create_local_nt_token(TALLOC_CTX *mem_ctx,
448 const struct dom_sid *user_sid,
449 bool is_guest,
450 int num_groupsids,
451 const struct dom_sid *groupsids,
452 struct security_token **token)
453 {
454 struct security_token *result = NULL;
455 int i;
456 NTSTATUS status;
457 uint32_t session_info_flags = 0;
458 struct dom_sid_buf buf;
459
460 DEBUG(10, ("Create local NT token for %s\n",
461 dom_sid_str_buf(user_sid, &buf)));
462
463 result = init_local_nt_token(mem_ctx);
464 if (result == NULL) {
465 status = NT_STATUS_NO_MEMORY;
466 goto err;
467 }
468
469 /* Add the user and primary group sid */
470
471 status = add_sid_to_array(result, user_sid,
472 &result->sids, &result->num_sids);
473 if (!NT_STATUS_IS_OK(status)) {
474 goto err;
475 }
476
477 /* For guest, num_groupsids may be zero. */
478 if (num_groupsids) {
479 status = add_sid_to_array(result, &groupsids[0],
480 &result->sids,
481 &result->num_sids);
482 if (!NT_STATUS_IS_OK(status)) {
483 goto err;
484 }
485 }
486
487 /* Now the SIDs we got from authentication. These are the ones from
488 * the info3 struct or from the pdb_enum_group_memberships, depending
489 * on who authenticated the user.
490 * Note that we start the for loop at "1" here, we already added the
491 * first group sid as primary above. */
492
493 for (i=1; i<num_groupsids; i++) {
494 status = add_sid_to_array_unique(result, &groupsids[i],
495 &result->sids,
496 &result->num_sids);
497 if (!NT_STATUS_IS_OK(status)) {
498 goto err;
499 }
500 }
501
502 status = add_local_groups(result, is_guest);
503 if (!NT_STATUS_IS_OK(status)) {
504 goto err;
505 }
506
507 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
508 if (!is_guest) {
509 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
510 }
511
512 status = finalize_local_nt_token(result, session_info_flags);
513 if (!NT_STATUS_IS_OK(status)) {
514 goto err;
515 }
516
517 if (is_guest) {
518 /*
519 * It's ugly, but for now it's
520 * needed to add Builtin_Guests
521 * here, the "local" token only
522 * consist of S-1-22-* SIDs
523 * and finalize_local_nt_token()
524 * doesn't have the chance to
525 * to detect it need to
526 * add Builtin_Guests via
527 * add_builtin_guests().
528 */
529 status = add_sid_to_array_unique(result,
530 &global_sid_Builtin_Guests,
531 &result->sids,
532 &result->num_sids);
533 if (!NT_STATUS_IS_OK(status)) {
534 DEBUG(3, ("Failed to add SID to nt token\n"));
535 goto err;
536 }
537 }
538
539 *token = result;
540 return NT_STATUS_SUCCESS;
541
542 err:
543 TALLOC_FREE(result);
544 return status;
545 }
546
547 /***************************************************
548 Merge in any groups from /etc/group.
549 ***************************************************/
550
551 static NTSTATUS add_local_groups(struct security_token *result,
552 bool is_guest)
553 {
554 gid_t *gids = NULL;
555 uint32_t getgroups_num_group_sids = 0;
556 struct passwd *pass = NULL;
557 TALLOC_CTX *tmp_ctx = talloc_stackframe();
558 uint32_t i;
559
560 if (is_guest) {
561 /*
562 * Guest is a special case. It's always
563 * a user that can be looked up, but
564 * result->sids[0] is set to DOMAIN\Guest.
565 * Lookup by account name instead.
566 */
567 pass = Get_Pwnam_alloc(tmp_ctx, lp_guest_account());
568 } else {
569 uid_t uid;
570
571 /* For non-guest result->sids[0] is always the user sid. */
572 if (!sid_to_uid(&result->sids[0], &uid)) {
573 /*
574 * Non-mappable SID like SYSTEM.
575 * Can't be in any /etc/group groups.
576 */
577 TALLOC_FREE(tmp_ctx);
578 return NT_STATUS_OK;
579 }
580
581 pass = getpwuid_alloc(tmp_ctx, uid);
582 if (pass == NULL) {
583 struct dom_sid_buf buf;
584 DBG_ERR("SID %s -> getpwuid(%u) failed, is nsswitch configured?\n",
585 dom_sid_str_buf(&result->sids[0], &buf),
586 (unsigned int)uid);
587 TALLOC_FREE(tmp_ctx);
588 return NT_STATUS_NO_SUCH_USER;
589 }
590 }
591
592 if (!pass) {
593 TALLOC_FREE(tmp_ctx);
594 return NT_STATUS_UNSUCCESSFUL;
595 }
596
597 /*
598 * Now we must get any groups this user has been
599 * added to in /etc/group and merge them in.
600 * This has to be done in every code path
601 * that creates an NT token, as remote users
602 * may have been added to the local /etc/group
603 * database. Tokens created merely from the
604 * info3 structs (via the DC or via the krb5 PAC)
605 * won't have these local groups. Note the
606 * groups added here will only be UNIX groups
607 * (S-1-22-2-XXXX groups) as getgroups_unix_user()
608 * turns off winbindd before calling getgroups().
609 *
610 * NB. This is duplicating work already
611 * done in the 'unix_user:' case of
612 * create_token_from_sid() but won't
613 * do anything other than be inefficient
614 * in that case.
615 */
616
617 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
618 &gids, &getgroups_num_group_sids)) {
619 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
620 pass->pw_name));
621 TALLOC_FREE(tmp_ctx);
622 return NT_STATUS_UNSUCCESSFUL;
623 }
624
625 for (i=0; i<getgroups_num_group_sids; i++) {
626 NTSTATUS status;
627 struct dom_sid grp_sid;
628 gid_to_sid(&grp_sid, gids[i]);
629
630 status = add_sid_to_array_unique(result,
631 &grp_sid,
632 &result->sids,
633 &result->num_sids);
634 if (!NT_STATUS_IS_OK(status)) {
635 DEBUG(3, ("Failed to add UNIX SID to nt token\n"));
636 TALLOC_FREE(tmp_ctx);
637 return status;
638 }
639 }
640 TALLOC_FREE(tmp_ctx);
641 return NT_STATUS_OK;
642 }
643
644 NTSTATUS finalize_local_nt_token(struct security_token *result,
645 uint32_t session_info_flags)
646 {
647 struct dom_sid _dom_sid = { 0, };
648 struct dom_sid *domain_sid = NULL;
649 NTSTATUS status;
650 struct acct_info *info;
651 bool ok;
652
653 result->privilege_mask = 0;
654 result->rights_mask = 0;
655
656 if (result->num_sids == 0) {
657 return NT_STATUS_INVALID_TOKEN;
658 }
659
660 if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
661 status = add_sid_to_array(result, &global_sid_World,
662 &result->sids, &result->num_sids);
663 if (!NT_STATUS_IS_OK(status)) {
664 return status;
665 }
666 status = add_sid_to_array(result, &global_sid_Network,
667 &result->sids, &result->num_sids);
668 if (!NT_STATUS_IS_OK(status)) {
669 return status;
670 }
671 }
672
673 /*
674 * Don't expand nested groups of system, anonymous etc
675 *
676 * Note that they still get SID_WORLD and SID_NETWORK
677 * for now in order let existing tests pass.
678 *
679 * But SYSTEM doesn't get AUTHENTICATED_USERS
680 * and ANONYMOUS doesn't get BUILTIN GUESTS anymore.
681 */
682 if (security_token_is_anonymous(result)) {
683 return NT_STATUS_OK;
684 }
685 if (security_token_is_system(result)) {
686 result->privilege_mask = ~0;
687 return NT_STATUS_OK;
688 }
689
690 if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
691 status = add_sid_to_array(result,
692 &global_sid_Authenticated_Users,
693 &result->sids,
694 &result->num_sids);
695 if (!NT_STATUS_IS_OK(status)) {
696 return status;
697 }
698 }
699
700 /* Add in BUILTIN sids */
701
702 become_root();
703 ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
704 if (ok) {
705 domain_sid = &_dom_sid;
706 } else {
707 DEBUG(3, ("Failed to fetch domain sid for %s\n",
708 lp_workgroup()));
709 }
710 unbecome_root();
711
712 info = talloc_zero(talloc_tos(), struct acct_info);
713 if (info == NULL) {
714 DEBUG(0, ("talloc failed!\n"));
715 return NT_STATUS_NO_MEMORY;
716 }
717
718 /* Deal with the BUILTIN\Administrators group. If the SID can
719 be resolved then assume that the add_aliasmem( S-1-5-32 )
720 handled it. */
721
722 status = pdb_get_aliasinfo(&global_sid_Builtin_Administrators, info);
723 if (!NT_STATUS_IS_OK(status)) {
724
725 become_root();
726 status = create_builtin_administrators(domain_sid);
727 unbecome_root();
728
729 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
730 /* Add BUILTIN\Administrators directly to token. */
731 status = add_builtin_administrators(result, domain_sid);
732 if ( !NT_STATUS_IS_OK(status) ) {
733 DEBUG(3, ("Failed to check for local "
734 "Administrators membership (%s)\n",
735 nt_errstr(status)));
736 }
737 } else if (!NT_STATUS_IS_OK(status)) {
738 DEBUG(2, ("WARNING: Failed to create "
739 "BUILTIN\\Administrators group! Can "
740 "Winbind allocate gids?\n"));
741 }
742 }
743
744 /* Deal with the BUILTIN\Users group. If the SID can
745 be resolved then assume that the add_aliasmem( S-1-5-32 )
746 handled it. */
747
748 status = pdb_get_aliasinfo(&global_sid_Builtin_Users, info);
749 if (!NT_STATUS_IS_OK(status)) {
750
751 become_root();
752 status = create_builtin_users(domain_sid);
753 unbecome_root();
754
755 if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) &&
756 !NT_STATUS_IS_OK(status))
757 {
758 DEBUG(2, ("WARNING: Failed to create BUILTIN\\Users group! "
759 "Can Winbind allocate gids?\n"));
760 }
761 }
762
763 /*
764 * Deal with the BUILTIN\Guests group. If the SID can
765 * be resolved then assume that the add_aliasmem( S-1-5-32 )
766 * handled it.
767 */
768 status = pdb_get_aliasinfo(&global_sid_Builtin_Guests, info);
769 if (!NT_STATUS_IS_OK(status)) {
770
771 become_root();
772 status = create_builtin_guests(domain_sid);
773 unbecome_root();
774
775 /*
776 * NT_STATUS_PROTOCOL_UNREACHABLE:
777 * => winbindd is not running.
778 *
779 * NT_STATUS_ACCESS_DENIED:
780 * => no idmap config at all
781 * and wbint_AllocateGid()/winbind_allocate_gid()
782 * failed.
783 *
784 * NT_STATUS_NO_SUCH_GROUP:
785 * => no idmap config at all and
786 * "tdbsam:map builtin = no" means
787 * wbint_Sids2UnixIDs() fails.
788 */
789 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) ||
790 NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
791 NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
792 /*
793 * Add BUILTIN\Guests directly to token.
794 * But only if the token already indicates
795 * real guest access by:
796 * - local GUEST account
797 * - local GUESTS group
798 * - domain GUESTS group
799 *
800 * Even if a user was authenticated, it
801 * can be member of a guest related group.
802 */
803 status = add_builtin_guests(result, domain_sid);
804 if (!NT_STATUS_IS_OK(status)) {
805 DEBUG(3, ("Failed to check for local "
806 "Guests membership (%s)\n",
807 nt_errstr(status)));
808 /*
809 * This is a hard error.
810 */
811 return status;
812 }
813 } else if (!NT_STATUS_IS_OK(status)) {
814 DEBUG(2, ("Failed to create "
815 "BUILTIN\\Guests group %s! Can "
816 "Winbind allocate gids?\n",
817 nt_errstr(status)));
818 /*
819 * This is a hard error.
820 */
821 return status;
822 }
823 }
824
825 TALLOC_FREE(info);
826
827 /* Deal with local groups */
828
829 if (lp_winbind_nested_groups()) {
830
831 become_root();
832
833 /* Now add the aliases. First the one from our local SAM */
834
835 status = add_aliases(get_global_sam_sid(), result);
836
837 if (!NT_STATUS_IS_OK(status)) {
838 unbecome_root();
839 return status;
840 }
841
842 /* Finally the builtin ones */
843
844 status = add_aliases(&global_sid_Builtin, result);
845
846 if (!NT_STATUS_IS_OK(status)) {
847 unbecome_root();
848 return status;
849 }
850
851 unbecome_root();
852 }
853
854 if (session_info_flags & AUTH_SESSION_INFO_NTLM) {
855 struct dom_sid tmp_sid = { 0, };
856
857 ok = dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &tmp_sid);
858 if (!ok) {
859 return NT_STATUS_NO_MEMORY;
860 }
861
862 status = add_sid_to_array(result,
863 &tmp_sid,
864 &result->sids,
865 &result->num_sids);
866 if (!NT_STATUS_IS_OK(status)) {
867 return status;
868 }
869 }
870
871 if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
872 if (security_token_has_builtin_administrators(result)) {
873 result->privilege_mask = ~0;
874 }
875 } else {
876 /* Add privileges based on current user sids */
877 get_privileges_for_sids(&result->privilege_mask, result->sids,
878 result->num_sids);
879 }
880
881 return NT_STATUS_OK;
882 }
883
884 /****************************************************************************
885 prints a UNIX 'token' to debug output.
886 ****************************************************************************/
887
888 void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
889 int n_groups, gid_t *groups)
890 {
891 int i;
892 DEBUGC(dbg_class, dbg_lev,
893 ("UNIX token of user %ld\n", (long int)uid));
894
895 DEBUGADDC(dbg_class, dbg_lev,
896 ("Primary group is %ld and contains %i supplementary "
897 "groups\n", (long int)gid, n_groups));
898 for (i = 0; i < n_groups; i++)
899 DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i,
900 (long int)groups[i]));
901 }
902
903 /*
904 * Create an artificial NT token given just a domain SID.
905 *
906 * We have 3 cases:
907 *
908 * unmapped unix users: Go directly to nss to find the user's group.
909 *
910 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
911 *
912 * If the user is provided by winbind, the primary gid is set to "domain
913 * users" of the user's domain. For an explanation why this is necessary, see
914 * the thread starting at
915 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
916 */
917
918 static NTSTATUS create_token_from_sid(TALLOC_CTX *mem_ctx,
919 const struct dom_sid *user_sid,
920 bool is_guest,
921 uid_t *uid, gid_t *gid,
922 char **found_username,
923 struct security_token **token)
924 {
925 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
926 TALLOC_CTX *tmp_ctx = talloc_stackframe();
927 gid_t *gids;
928 struct dom_sid *group_sids;
929 struct dom_sid tmp_sid;
930 uint32_t num_group_sids;
931 uint32_t num_gids;
932 uint32_t i;
933 uint32_t high, low;
934 bool range_ok;
935 struct dom_sid_buf buf;
936
937 if (sid_check_is_in_our_sam(user_sid)) {
938 bool ret;
939 uint32_t pdb_num_group_sids;
940 /* This is a passdb user, so ask passdb */
941
942 struct samu *sam_acct = NULL;
943
944 if ( !(sam_acct = samu_new( tmp_ctx )) ) {
945 result = NT_STATUS_NO_MEMORY;
946 goto done;
947 }
948
949 become_root();
950 ret = pdb_getsampwsid(sam_acct, user_sid);
951 unbecome_root();
952
953 if (!ret) {
954 DEBUG(1, ("pdb_getsampwsid(%s) failed\n",
955 dom_sid_str_buf(user_sid, &buf)));
956 DEBUGADD(1, ("Fall back to unix user\n"));
957 goto unix_user;
958 }
959
960 result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
961 &group_sids, &gids,
962 &pdb_num_group_sids);
963 if (!NT_STATUS_IS_OK(result)) {
964 DEBUG(1, ("enum_group_memberships failed for %s: "
965 "%s\n",
966 dom_sid_str_buf(user_sid, &buf),
967 nt_errstr(result)));
968 DEBUGADD(1, ("Fall back to unix uid lookup\n"));
969 goto unix_user;
970 }
971 num_group_sids = pdb_num_group_sids;
972
973 /* see the smb_panic() in pdb_default_enum_group_memberships */
974 SMB_ASSERT(num_group_sids > 0);
975
976 /* Ensure we're returning the found_username on the right context. */
977 *found_username = talloc_strdup(mem_ctx,
978 pdb_get_username(sam_acct));
979
980 if (*found_username == NULL) {
981 result = NT_STATUS_NO_MEMORY;
982 goto done;
983 }
984
985 /*
986 * If the SID from lookup_name() was the guest sid, passdb knows
987 * about the mapping of guest sid to lp_guest_account()
988 * username and will return the unix_pw info for a guest
989 * user. Use it if it's there, else lookup the *uid details
990 * using Get_Pwnam_alloc(). See bug #6291 for details. JRA.
991 */
992
993 /* We must always assign the *uid. */
994 if (sam_acct->unix_pw == NULL) {
995 struct passwd *pwd = Get_Pwnam_alloc(sam_acct, *found_username );
996 if (!pwd) {
997 DEBUG(10, ("Get_Pwnam_alloc failed for %s\n",
998 *found_username));
999 result = NT_STATUS_NO_SUCH_USER;
1000 goto done;
1001 }
1002 result = samu_set_unix(sam_acct, pwd );
1003 if (!NT_STATUS_IS_OK(result)) {
1004 DEBUG(10, ("samu_set_unix failed for %s\n",
1005 *found_username));
1006 result = NT_STATUS_NO_SUCH_USER;
1007 goto done;
1008 }
1009 }
1010 *uid = sam_acct->unix_pw->pw_uid;
1011
1012 } else if (sid_check_is_in_unix_users(user_sid)) {
1013 uint32_t getgroups_num_group_sids;
1014 /* This is a unix user not in passdb. We need to ask nss
1015 * directly, without consulting passdb */
1016
1017 struct passwd *pass;
1018
1019 /*
1020 * This goto target is used as a fallback for the passdb
1021 * case. The concrete bug report is when passdb gave us an
1022 * unmapped gid.
1023 */
1024
1025 unix_user:
1026
1027 if (!sid_to_uid(user_sid, uid)) {
1028 DEBUG(1, ("unix_user case, sid_to_uid for %s failed\n",
1029 dom_sid_str_buf(user_sid, &buf)));
1030 result = NT_STATUS_NO_SUCH_USER;
1031 goto done;
1032 }
1033
1034 uid_to_unix_users_sid(*uid, &tmp_sid);
1035 user_sid = &tmp_sid;
1036
1037 pass = getpwuid_alloc(tmp_ctx, *uid);
1038 if (pass == NULL) {
1039 DEBUG(1, ("getpwuid(%u) failed\n",
1040 (unsigned int)*uid));
1041 goto done;
1042 }
1043
1044 if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
1045 &gids, &getgroups_num_group_sids)) {
1046 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
1047 pass->pw_name));
1048 goto done;
1049 }
1050 num_group_sids = getgroups_num_group_sids;
1051
1052 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids);
1053 if (group_sids == NULL) {
1054 DEBUG(1, ("talloc_array failed\n"));
1055 result = NT_STATUS_NO_MEMORY;
1056 goto done;
1057 }
1058
1059 for (i=0; i<num_group_sids; i++) {
1060 gid_to_sid(&group_sids[i], gids[i]);
1061 }
1062
1063 /* In getgroups_unix_user we always set the primary gid */
1064 SMB_ASSERT(num_group_sids > 0);
1065
1066 /* Ensure we're returning the found_username on the right context. */
1067 *found_username = talloc_strdup(mem_ctx, pass->pw_name);
1068 if (*found_username == NULL) {
1069 result = NT_STATUS_NO_MEMORY;
1070 goto done;
1071 }
1072 } else {
1073
1074 /* This user is from winbind, force the primary gid to the
1075 * user's "domain users" group. Under certain circumstances
1076 * (user comes from NT4), this might be a loss of
1077 * information. But we can not rely on winbind getting the
1078 * correct info. AD might prohibit winbind looking up that
1079 * information. */
1080
1081 /* We must always assign the *uid. */
1082 if (!sid_to_uid(user_sid, uid)) {
1083 DEBUG(1, ("winbindd case, sid_to_uid for %s failed\n",
1084 dom_sid_str_buf(user_sid, &buf)));
1085 result = NT_STATUS_NO_SUCH_USER;
1086 goto done;
1087 }
1088
1089 num_group_sids = 1;
1090 group_sids = talloc_array(tmp_ctx, struct dom_sid, num_group_sids);
1091 if (group_sids == NULL) {
1092 DEBUG(1, ("talloc_array failed\n"));
1093 result = NT_STATUS_NO_MEMORY;
1094 goto done;
1095 }
1096
1097 gids = talloc_array(tmp_ctx, gid_t, num_group_sids);
1098 if (gids == NULL) {
1099 result = NT_STATUS_NO_MEMORY;
1100 goto done;
1101 }
1102
1103 sid_copy(&group_sids[0], user_sid);
1104 sid_split_rid(&group_sids[0], NULL);
1105 sid_append_rid(&group_sids[0], DOMAIN_RID_USERS);
1106
1107 if (!sid_to_gid(&group_sids[0], &gids[0])) {
1108 DEBUG(1, ("sid_to_gid(%s) failed\n",
1109 dom_sid_str_buf(&group_sids[0], &buf)));
1110 goto done;
1111 }
1112
1113 *found_username = NULL;
1114 }
1115
1116 *gid = gids[0];
1117
1118 /* Add the "Unix Group" SID for each gid to catch mapped groups
1119 and their Unix equivalent. This is to solve the backwards
1120 compatibility problem of 'valid users = +ntadmin' where
1121 ntadmin has been paired with "Domain Admins" in the group
1122 mapping table. Otherwise smb.conf would need to be changed
1123 to 'valid user = "Domain Admins"'. --jerry */
1124
1125 num_gids = num_group_sids;
1126 range_ok = lp_idmap_default_range(&low, &high);
1127 for ( i=0; i<num_gids; i++ ) {
1128 struct dom_sid unix_group_sid;
1129
1130 /* don't pickup anything managed by Winbind */
1131 if (range_ok && (gids[i] >= low) && (gids[i] <= high)) {
1132 continue;
1133 }
1134
1135 gid_to_unix_groups_sid(gids[i], &unix_group_sid);
1136
1137 result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
1138 &group_sids, &num_group_sids);
1139 if (!NT_STATUS_IS_OK(result)) {
1140 goto done;
1141 }
1142 }
1143
1144 /* Ensure we're creating the nt_token on the right context. */
1145 result = create_local_nt_token(mem_ctx, user_sid,
1146 is_guest, num_group_sids, group_sids, token);
1147
1148 if (!NT_STATUS_IS_OK(result)) {
1149 goto done;
1150 }
1151
1152 result = NT_STATUS_OK;
1153 done:
1154 TALLOC_FREE(tmp_ctx);
1155 return result;
1156 }
1157
1158 /*
1159 * Create an artificial NT token given just a username. (Initially intended
1160 * for force user)
1161 *
1162 * We go through lookup_name() to avoid problems we had with 'winbind use
1163 * default domain'.
1164 *
1165 * We have 3 cases:
1166 *
1167 * unmapped unix users: Go directly to nss to find the user's group.
1168 *
1169 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
1170 *
1171 * If the user is provided by winbind, the primary gid is set to "domain
1172 * users" of the user's domain. For an explanation why this is necessary, see
1173 * the thread starting at
1174 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
1175 */
1176
1177 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
1178 bool is_guest,
1179 uid_t *uid, gid_t *gid,
1180 char **found_username,
1181 struct security_token **token)
1182 {
1183 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
1184 TALLOC_CTX *tmp_ctx = talloc_stackframe();
1185 struct dom_sid user_sid;
1186 enum lsa_SidType type;
1187
1188 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
1189 NULL, NULL, &user_sid, &type)) {
1190 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
1191 goto done;
1192 }
1193
1194 if (type != SID_NAME_USER) {
1195 DEBUG(1, ("%s is a %s, not a user\n", username,
1196 sid_type_lookup(type)));
1197 goto done;
1198 }
1199
1200 result = create_token_from_sid(mem_ctx, &user_sid, is_guest, uid, gid, found_username, token);
1201
1202 if (!NT_STATUS_IS_OK(result)) {
1203 goto done;
1204 }
1205
1206 /*
1207 * If result == NT_STATUS_OK then
1208 * we know we have a valid token. Ensure
1209 * we also have a valid username to match.
1210 */
1211
1212 if (*found_username == NULL) {
1213 *found_username = talloc_strdup(mem_ctx, username);
1214 if (*found_username == NULL) {
1215 result = NT_STATUS_NO_MEMORY;
1216 }
1217 }
1218
1219 done:
1220 TALLOC_FREE(tmp_ctx);
1221 return result;
1222 }
1223
1224 /***************************************************************************
1225 Build upon create_token_from_sid:
1226
1227 Expensive helper function to figure out whether a user given its sid is
1228 member of a particular group.
1229 ***************************************************************************/
1230
1231 bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid)
1232 {
1233 NTSTATUS status;
1234 uid_t uid;
1235 gid_t gid;
1236 char *found_username;
1237 struct security_token *token;
1238 bool result = false;
1239 enum lsa_SidType type;
1240 TALLOC_CTX *mem_ctx = talloc_stackframe();
1241 struct dom_sid_buf buf;
1242
1243 if (!lookup_sid(mem_ctx, sid,
1244 NULL, NULL, &type)) {
1245 DEBUG(1, ("lookup_sid for %s failed\n",
1246 dom_sid_str_buf(sid, &buf)));
1247 goto done;
1248 }
1249
1250 if (type != SID_NAME_USER) {
1251 DEBUG(5, ("%s is a %s, not a user\n",
1252 dom_sid_str_buf(sid, &buf),
1253 sid_type_lookup(type)));
1254 goto done;
1255 }
1256
1257 status = create_token_from_sid(mem_ctx, sid, False,
1258 &uid, &gid, &found_username,
1259 &token);
1260
1261 if (!NT_STATUS_IS_OK(status)) {
1262 DEBUG(10, ("could not create token for %s\n",
1263 dom_sid_str_buf(sid, &buf)));
1264 goto done;
1265 }
1266
1267 result = security_token_has_sid(token, group_sid);
1268
1269 done:
1270 TALLOC_FREE(mem_ctx);
1271 return result;
1272 }
1273
1274 /***************************************************************************
1275 Build upon create_token_from_username:
1276
1277 Expensive helper function to figure out whether a user given its name is
1278 member of a particular group.
1279 ***************************************************************************/
1280
1281 bool user_in_group_sid(const char *username, const struct dom_sid *group_sid)
1282 {
1283 NTSTATUS status;
1284 uid_t uid;
1285 gid_t gid;
1286 char *found_username;
1287 struct security_token *token;
1288 bool result;
1289 TALLOC_CTX *mem_ctx = talloc_stackframe();
1290
1291 status = create_token_from_username(mem_ctx, username, False,
1292 &uid, &gid, &found_username,
1293 &token);
1294
1295 if (!NT_STATUS_IS_OK(status)) {
1296 DEBUG(10, ("could not create token for %s\n", username));
1297 TALLOC_FREE(mem_ctx);
1298 return False;
1299 }
1300
1301 result = security_token_has_sid(token, group_sid);
1302
1303 TALLOC_FREE(mem_ctx);
1304 return result;
1305 }
1306
1307 bool user_in_group(const char *username, const char *groupname)
1308 {
1309 TALLOC_CTX *mem_ctx = talloc_stackframe();
1310 struct dom_sid group_sid;
1311 bool ret;
1312
1313 ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL,
1314 NULL, NULL, &group_sid, NULL);
1315 TALLOC_FREE(mem_ctx);
1316
1317 if (!ret) {
1318 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
1319 return False;
1320 }
1321
1322 return user_in_group_sid(username, &group_sid);
1323 }
1324
1325 /* END */
Samba GIT mirror