2 * Unix SMB/CIFS implementation.
3 * Authentication utility functions
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Andrew Bartlett 2001
6 * Copyright (C) Jeremy Allison 2000-2001
7 * Copyright (C) Rafal Szczesniak 2002
8 * Copyright (C) Volker Lendecke 2006
9 * Copyright (C) Michael Adam 2007
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 3 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 /* functions moved from auth/auth_util.c to minimize linker deps */
28 #include "lib/util_unixsids.h"
29 #include "system/passwd.h"
32 #include "../lib/util/memcache.h"
33 #include "../librpc/gen_ndr/netlogon.h"
34 #include "../libcli/security/security.h"
35 #include "../lib/util/util_pw.h"
37 #include "lib/privileges.h"
39 /****************************************************************************
40 Check for a SID in an struct security_token
41 ****************************************************************************/
43 bool nt_token_check_sid ( const struct dom_sid
*sid
, const struct security_token
*token
)
48 return security_token_has_sid(token
, sid
);
51 bool nt_token_check_domain_rid( struct security_token
*token
, uint32_t rid
)
53 struct dom_sid domain_sid
;
55 /* if we are a domain member, the get the domain SID, else for
56 a DC or standalone server, use our own SID */
58 if ( lp_server_role() == ROLE_DOMAIN_MEMBER
) {
59 if ( !secrets_fetch_domain_sid( lp_workgroup(),
61 DEBUG(1,("nt_token_check_domain_rid: Cannot lookup "
62 "SID for domain [%s]\n", lp_workgroup()));
67 sid_copy( &domain_sid
, get_global_sam_sid() );
69 sid_append_rid( &domain_sid
, rid
);
71 return nt_token_check_sid( &domain_sid
, token
);\
74 /******************************************************************************
75 Create a token for the root user to be used internally by smbd.
76 This is similar to running under the context of the LOCAL_SYSTEM account
77 in Windows. This is a read-only token. Do not modify it or free() it.
78 Create a copy if you need to change it.
79 ******************************************************************************/
81 NTSTATUS
get_root_nt_token( struct security_token
**token
)
83 struct security_token
*for_cache
;
84 struct dom_sid u_sid
, g_sid
;
87 NTSTATUS status
= NT_STATUS_OK
;
89 cache_data
= memcache_lookup_talloc(
90 NULL
, SINGLETON_CACHE_TALLOC
,
91 data_blob_string_const_null("root_nt_token"));
93 if (cache_data
!= NULL
) {
94 *token
= talloc_get_type_abort(
95 cache_data
, struct security_token
);
99 if ( !(pw
= getpwuid(0)) ) {
100 if ( !(pw
= getpwnam("root")) ) {
101 DBG_ERR("get_root_nt_token: both getpwuid(0) "
102 "and getpwnam(\"root\") failed!\n");
103 return NT_STATUS_NO_SUCH_USER
;
107 /* get the user and primary group SIDs; although the
108 BUILTIN\Administrators SId is really the one that matters here */
110 uid_to_sid(&u_sid
, pw
->pw_uid
);
111 gid_to_sid(&g_sid
, pw
->pw_gid
);
113 status
= create_local_nt_token(talloc_tos(), &u_sid
, False
,
114 1, &global_sid_Builtin_Administrators
, token
);
115 if (!NT_STATUS_IS_OK(status
)) {
119 security_token_set_privilege(*token
, SEC_PRIV_DISK_OPERATOR
);
124 NULL
, SINGLETON_CACHE_TALLOC
,
125 data_blob_string_const_null("root_nt_token"), &for_cache
);
132 * Add alias SIDs from memberships within the partially created token SID list
135 NTSTATUS
add_aliases(const struct dom_sid
*domain_sid
,
136 struct security_token
*token
)
139 size_t i
, num_aliases
;
143 if (!(tmp_ctx
= talloc_init("add_aliases"))) {
144 return NT_STATUS_NO_MEMORY
;
150 status
= pdb_enum_alias_memberships(tmp_ctx
, domain_sid
,
153 &aliases
, &num_aliases
);
155 if (!NT_STATUS_IS_OK(status
)) {
156 DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n",
161 for (i
=0; i
<num_aliases
; i
++) {
162 struct dom_sid alias_sid
;
163 sid_compose(&alias_sid
, domain_sid
, aliases
[i
]);
164 status
= add_sid_to_array_unique(token
, &alias_sid
,
167 if (!NT_STATUS_IS_OK(status
)) {
168 DEBUG(0, ("add_sid_to_array failed\n"));
174 TALLOC_FREE(tmp_ctx
);
178 /*******************************************************************
179 *******************************************************************/
181 static NTSTATUS
add_builtin_administrators(struct security_token
*token
,
182 const struct dom_sid
*dom_sid
)
184 struct dom_sid domadm
;
187 /* nothing to do if we aren't in a domain */
189 if ( !(IS_DC
|| lp_server_role()==ROLE_DOMAIN_MEMBER
) ) {
193 /* Find the Domain Admins SID */
196 sid_copy( &domadm
, get_global_sam_sid() );
198 if (dom_sid
== NULL
) {
199 return NT_STATUS_INVALID_PARAMETER_MIX
;
201 sid_copy(&domadm
, dom_sid
);
203 sid_append_rid( &domadm
, DOMAIN_RID_ADMINS
);
205 /* Add Administrators if the user beloongs to Domain Admins */
207 if ( nt_token_check_sid( &domadm
, token
) ) {
208 status
= add_sid_to_array(token
,
209 &global_sid_Builtin_Administrators
,
210 &token
->sids
, &token
->num_sids
);
211 if (!NT_STATUS_IS_OK(status
)) {
219 static NTSTATUS
add_builtin_guests(struct security_token
*token
,
220 const struct dom_sid
*dom_sid
)
222 struct dom_sid tmp_sid
;
226 * First check the local GUEST account.
228 sid_compose(&tmp_sid
, get_global_sam_sid(), DOMAIN_RID_GUEST
);
230 if (nt_token_check_sid(&tmp_sid
, token
)) {
231 status
= add_sid_to_array_unique(token
,
232 &global_sid_Builtin_Guests
,
233 &token
->sids
, &token
->num_sids
);
234 if (!NT_STATUS_IS_OK(status
)) {
242 * First check the local GUESTS group.
244 sid_compose(&tmp_sid
, get_global_sam_sid(), DOMAIN_RID_GUESTS
);
246 if (nt_token_check_sid(&tmp_sid
, token
)) {
247 status
= add_sid_to_array_unique(token
,
248 &global_sid_Builtin_Guests
,
249 &token
->sids
, &token
->num_sids
);
250 if (!NT_STATUS_IS_OK(status
)) {
257 if (lp_server_role() != ROLE_DOMAIN_MEMBER
) {
261 if (dom_sid
== NULL
) {
262 return NT_STATUS_INVALID_PARAMETER_MIX
;
266 * First check the domain GUESTS group.
268 sid_copy(&tmp_sid
, dom_sid
);
269 sid_append_rid(&tmp_sid
, DOMAIN_RID_GUESTS
);
271 if (nt_token_check_sid(&tmp_sid
, token
)) {
272 status
= add_sid_to_array_unique(token
,
273 &global_sid_Builtin_Guests
,
274 &token
->sids
, &token
->num_sids
);
275 if (!NT_STATUS_IS_OK(status
)) {
285 static NTSTATUS
add_local_groups(struct security_token
*result
,
288 NTSTATUS
get_user_sid_info3_and_extra(const struct netr_SamInfo3
*info3
,
289 const struct extra_auth_info
*extra
,
293 if (info3
->base
.rid
== (uint32_t)(-1)) {
294 /* this is a signal the user was fake and generated,
295 * the actual SID we want to use is stored in the extra
297 if (is_null_sid(&extra
->user_sid
)) {
298 /* we couldn't find the user sid, bail out */
299 DEBUG(3, ("Invalid user SID\n"));
300 return NT_STATUS_UNSUCCESSFUL
;
302 sid_copy(sid
, &extra
->user_sid
);
304 sid_copy(sid
, info3
->base
.domain_sid
);
305 sid_append_rid(sid
, info3
->base
.rid
);
310 static struct security_token
*init_local_nt_token(TALLOC_CTX
*mem_ctx
)
313 * We do not have a method to populate the claims into this
314 * buffer in the source3/ stack. When that changes, we will
315 * instead this optional based on lp_acl_claims_evaluation()
318 struct security_token
*result
319 = security_token_initialise(mem_ctx
,
320 CLAIMS_EVALUATION_NEVER
);
322 if (result
== NULL
) {
323 DBG_ERR("talloc failed for security_token\n");
330 NTSTATUS
create_local_nt_token_from_info3(TALLOC_CTX
*mem_ctx
,
332 const struct netr_SamInfo3
*info3
,
333 const struct extra_auth_info
*extra
,
334 struct security_token
**ntok
)
336 struct security_token
*usrtok
= NULL
;
337 uint32_t session_info_flags
= 0;
341 DEBUG(10, ("Create local NT token for %s\n",
342 info3
->base
.account_name
.string
));
344 usrtok
= init_local_nt_token(mem_ctx
);
346 return NT_STATUS_NO_MEMORY
;
349 /* Add the user and primary group sid FIRST */
350 /* check if the user rid is the special "Domain Guests" rid.
351 * If so pick the first sid for the extra sids instead as it
352 * is a local fake account */
353 usrtok
->sids
= talloc_array(usrtok
, struct dom_sid
, 2);
356 return NT_STATUS_NO_MEMORY
;
358 usrtok
->num_sids
= 2;
360 status
= get_user_sid_info3_and_extra(info3
, extra
, &usrtok
->sids
[0]);
361 if (!NT_STATUS_IS_OK(status
)) {
367 if (info3
->base
.primary_gid
== (uint32_t)(-1)) {
368 /* this is a signal the user was fake and generated,
369 * the actual SID we want to use is stored in the extra
371 if (is_null_sid(&extra
->pgid_sid
)) {
372 /* we couldn't find the user sid, bail out */
373 DEBUG(3, ("Invalid group SID\n"));
375 return NT_STATUS_UNSUCCESSFUL
;
377 sid_copy(&usrtok
->sids
[1], &extra
->pgid_sid
);
379 sid_copy(&usrtok
->sids
[1], info3
->base
.domain_sid
);
380 sid_append_rid(&usrtok
->sids
[1],
381 info3
->base
.primary_gid
);
384 /* Now the SIDs we got from authentication. These are the ones from
385 * the info3 struct or from the pdb_enum_group_memberships, depending
386 * on who authenticated the user.
387 * Note that we start the for loop at "1" here, we already added the
388 * first group sid as primary above. */
390 for (i
= 0; i
< info3
->base
.groups
.count
; i
++) {
391 struct dom_sid tmp_sid
;
393 sid_copy(&tmp_sid
, info3
->base
.domain_sid
);
394 sid_append_rid(&tmp_sid
, info3
->base
.groups
.rids
[i
].rid
);
396 status
= add_sid_to_array_unique(usrtok
, &tmp_sid
,
399 if (!NT_STATUS_IS_OK(status
)) {
400 DEBUG(3, ("Failed to add SID to nt token\n"));
406 /* now also add extra sids if they are not the special user/group
408 for (i
= 0; i
< info3
->sidcount
; i
++) {
409 status
= add_sid_to_array_unique(usrtok
,
413 if (!NT_STATUS_IS_OK(status
)) {
414 DEBUG(3, ("Failed to add SID to nt token\n"));
420 status
= add_local_groups(usrtok
, is_guest
);
421 if (!NT_STATUS_IS_OK(status
)) {
422 DEBUG(3, ("Failed to add local groups\n"));
427 session_info_flags
|= AUTH_SESSION_INFO_DEFAULT_GROUPS
;
429 session_info_flags
|= AUTH_SESSION_INFO_AUTHENTICATED
;
432 status
= finalize_local_nt_token(usrtok
, session_info_flags
);
433 if (!NT_STATUS_IS_OK(status
)) {
434 DEBUG(3, ("Failed to finalize nt token\n"));
443 /*******************************************************************
444 Create a NT token for the user, expanding local aliases
445 *******************************************************************/
447 NTSTATUS
create_local_nt_token(TALLOC_CTX
*mem_ctx
,
448 const struct dom_sid
*user_sid
,
451 const struct dom_sid
*groupsids
,
452 struct security_token
**token
)
454 struct security_token
*result
= NULL
;
457 uint32_t session_info_flags
= 0;
458 struct dom_sid_buf buf
;
460 DEBUG(10, ("Create local NT token for %s\n",
461 dom_sid_str_buf(user_sid
, &buf
)));
463 result
= init_local_nt_token(mem_ctx
);
464 if (result
== NULL
) {
465 status
= NT_STATUS_NO_MEMORY
;
469 /* Add the user and primary group sid */
471 status
= add_sid_to_array(result
, user_sid
,
472 &result
->sids
, &result
->num_sids
);
473 if (!NT_STATUS_IS_OK(status
)) {
477 /* For guest, num_groupsids may be zero. */
479 status
= add_sid_to_array(result
, &groupsids
[0],
482 if (!NT_STATUS_IS_OK(status
)) {
487 /* Now the SIDs we got from authentication. These are the ones from
488 * the info3 struct or from the pdb_enum_group_memberships, depending
489 * on who authenticated the user.
490 * Note that we start the for loop at "1" here, we already added the
491 * first group sid as primary above. */
493 for (i
=1; i
<num_groupsids
; i
++) {
494 status
= add_sid_to_array_unique(result
, &groupsids
[i
],
497 if (!NT_STATUS_IS_OK(status
)) {
502 status
= add_local_groups(result
, is_guest
);
503 if (!NT_STATUS_IS_OK(status
)) {
507 session_info_flags
|= AUTH_SESSION_INFO_DEFAULT_GROUPS
;
509 session_info_flags
|= AUTH_SESSION_INFO_AUTHENTICATED
;
512 status
= finalize_local_nt_token(result
, session_info_flags
);
513 if (!NT_STATUS_IS_OK(status
)) {
519 * It's ugly, but for now it's
520 * needed to add Builtin_Guests
521 * here, the "local" token only
522 * consist of S-1-22-* SIDs
523 * and finalize_local_nt_token()
524 * doesn't have the chance to
525 * to detect it need to
526 * add Builtin_Guests via
527 * add_builtin_guests().
529 status
= add_sid_to_array_unique(result
,
530 &global_sid_Builtin_Guests
,
533 if (!NT_STATUS_IS_OK(status
)) {
534 DEBUG(3, ("Failed to add SID to nt token\n"));
540 return NT_STATUS_SUCCESS
;
547 /***************************************************
548 Merge in any groups from /etc/group.
549 ***************************************************/
551 static NTSTATUS
add_local_groups(struct security_token
*result
,
555 uint32_t getgroups_num_group_sids
= 0;
556 struct passwd
*pass
= NULL
;
557 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
562 * Guest is a special case. It's always
563 * a user that can be looked up, but
564 * result->sids[0] is set to DOMAIN\Guest.
565 * Lookup by account name instead.
567 pass
= Get_Pwnam_alloc(tmp_ctx
, lp_guest_account());
571 /* For non-guest result->sids[0] is always the user sid. */
572 if (!sid_to_uid(&result
->sids
[0], &uid
)) {
574 * Non-mappable SID like SYSTEM.
575 * Can't be in any /etc/group groups.
577 TALLOC_FREE(tmp_ctx
);
581 pass
= getpwuid_alloc(tmp_ctx
, uid
);
583 struct dom_sid_buf buf
;
584 DBG_ERR("SID %s -> getpwuid(%u) failed, is nsswitch configured?\n",
585 dom_sid_str_buf(&result
->sids
[0], &buf
),
587 TALLOC_FREE(tmp_ctx
);
588 return NT_STATUS_NO_SUCH_USER
;
593 TALLOC_FREE(tmp_ctx
);
594 return NT_STATUS_UNSUCCESSFUL
;
598 * Now we must get any groups this user has been
599 * added to in /etc/group and merge them in.
600 * This has to be done in every code path
601 * that creates an NT token, as remote users
602 * may have been added to the local /etc/group
603 * database. Tokens created merely from the
604 * info3 structs (via the DC or via the krb5 PAC)
605 * won't have these local groups. Note the
606 * groups added here will only be UNIX groups
607 * (S-1-22-2-XXXX groups) as getgroups_unix_user()
608 * turns off winbindd before calling getgroups().
610 * NB. This is duplicating work already
611 * done in the 'unix_user:' case of
612 * create_token_from_sid() but won't
613 * do anything other than be inefficient
617 if (!getgroups_unix_user(tmp_ctx
, pass
->pw_name
, pass
->pw_gid
,
618 &gids
, &getgroups_num_group_sids
)) {
619 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
621 TALLOC_FREE(tmp_ctx
);
622 return NT_STATUS_UNSUCCESSFUL
;
625 for (i
=0; i
<getgroups_num_group_sids
; i
++) {
627 struct dom_sid grp_sid
;
628 gid_to_sid(&grp_sid
, gids
[i
]);
630 status
= add_sid_to_array_unique(result
,
634 if (!NT_STATUS_IS_OK(status
)) {
635 DEBUG(3, ("Failed to add UNIX SID to nt token\n"));
636 TALLOC_FREE(tmp_ctx
);
640 TALLOC_FREE(tmp_ctx
);
644 NTSTATUS
finalize_local_nt_token(struct security_token
*result
,
645 uint32_t session_info_flags
)
647 struct dom_sid _dom_sid
= { 0, };
648 struct dom_sid
*domain_sid
= NULL
;
650 struct acct_info
*info
;
653 result
->privilege_mask
= 0;
654 result
->rights_mask
= 0;
656 if (result
->num_sids
== 0) {
657 return NT_STATUS_INVALID_TOKEN
;
660 if (session_info_flags
& AUTH_SESSION_INFO_DEFAULT_GROUPS
) {
661 status
= add_sid_to_array(result
, &global_sid_World
,
662 &result
->sids
, &result
->num_sids
);
663 if (!NT_STATUS_IS_OK(status
)) {
666 status
= add_sid_to_array(result
, &global_sid_Network
,
667 &result
->sids
, &result
->num_sids
);
668 if (!NT_STATUS_IS_OK(status
)) {
674 * Don't expand nested groups of system, anonymous etc
676 * Note that they still get SID_WORLD and SID_NETWORK
677 * for now in order let existing tests pass.
679 * But SYSTEM doesn't get AUTHENTICATED_USERS
680 * and ANONYMOUS doesn't get BUILTIN GUESTS anymore.
682 if (security_token_is_anonymous(result
)) {
685 if (security_token_is_system(result
)) {
686 result
->privilege_mask
= ~0;
690 if (session_info_flags
& AUTH_SESSION_INFO_AUTHENTICATED
) {
691 status
= add_sid_to_array(result
,
692 &global_sid_Authenticated_Users
,
695 if (!NT_STATUS_IS_OK(status
)) {
700 /* Add in BUILTIN sids */
703 ok
= secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid
);
705 domain_sid
= &_dom_sid
;
707 DEBUG(3, ("Failed to fetch domain sid for %s\n",
712 info
= talloc_zero(talloc_tos(), struct acct_info
);
714 DEBUG(0, ("talloc failed!\n"));
715 return NT_STATUS_NO_MEMORY
;
718 /* Deal with the BUILTIN\Administrators group. If the SID can
719 be resolved then assume that the add_aliasmem( S-1-5-32 )
722 status
= pdb_get_aliasinfo(&global_sid_Builtin_Administrators
, info
);
723 if (!NT_STATUS_IS_OK(status
)) {
726 status
= create_builtin_administrators(domain_sid
);
729 if (NT_STATUS_EQUAL(status
, NT_STATUS_PROTOCOL_UNREACHABLE
)) {
730 /* Add BUILTIN\Administrators directly to token. */
731 status
= add_builtin_administrators(result
, domain_sid
);
732 if ( !NT_STATUS_IS_OK(status
) ) {
733 DEBUG(3, ("Failed to check for local "
734 "Administrators membership (%s)\n",
737 } else if (!NT_STATUS_IS_OK(status
)) {
738 DEBUG(2, ("WARNING: Failed to create "
739 "BUILTIN\\Administrators group! Can "
740 "Winbind allocate gids?\n"));
744 /* Deal with the BUILTIN\Users group. If the SID can
745 be resolved then assume that the add_aliasmem( S-1-5-32 )
748 status
= pdb_get_aliasinfo(&global_sid_Builtin_Users
, info
);
749 if (!NT_STATUS_IS_OK(status
)) {
752 status
= create_builtin_users(domain_sid
);
755 if (!NT_STATUS_EQUAL(status
, NT_STATUS_PROTOCOL_UNREACHABLE
) &&
756 !NT_STATUS_IS_OK(status
))
758 DEBUG(2, ("WARNING: Failed to create BUILTIN\\Users group! "
759 "Can Winbind allocate gids?\n"));
764 * Deal with the BUILTIN\Guests group. If the SID can
765 * be resolved then assume that the add_aliasmem( S-1-5-32 )
768 status
= pdb_get_aliasinfo(&global_sid_Builtin_Guests
, info
);
769 if (!NT_STATUS_IS_OK(status
)) {
772 status
= create_builtin_guests(domain_sid
);
776 * NT_STATUS_PROTOCOL_UNREACHABLE:
777 * => winbindd is not running.
779 * NT_STATUS_ACCESS_DENIED:
780 * => no idmap config at all
781 * and wbint_AllocateGid()/winbind_allocate_gid()
784 * NT_STATUS_NO_SUCH_GROUP:
785 * => no idmap config at all and
786 * "tdbsam:map builtin = no" means
787 * wbint_Sids2UnixIDs() fails.
789 if (NT_STATUS_EQUAL(status
, NT_STATUS_PROTOCOL_UNREACHABLE
) ||
790 NT_STATUS_EQUAL(status
, NT_STATUS_ACCESS_DENIED
) ||
791 NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_GROUP
)) {
793 * Add BUILTIN\Guests directly to token.
794 * But only if the token already indicates
795 * real guest access by:
796 * - local GUEST account
797 * - local GUESTS group
798 * - domain GUESTS group
800 * Even if a user was authenticated, it
801 * can be member of a guest related group.
803 status
= add_builtin_guests(result
, domain_sid
);
804 if (!NT_STATUS_IS_OK(status
)) {
805 DEBUG(3, ("Failed to check for local "
806 "Guests membership (%s)\n",
809 * This is a hard error.
813 } else if (!NT_STATUS_IS_OK(status
)) {
814 DEBUG(2, ("Failed to create "
815 "BUILTIN\\Guests group %s! Can "
816 "Winbind allocate gids?\n",
819 * This is a hard error.
827 /* Deal with local groups */
829 if (lp_winbind_nested_groups()) {
833 /* Now add the aliases. First the one from our local SAM */
835 status
= add_aliases(get_global_sam_sid(), result
);
837 if (!NT_STATUS_IS_OK(status
)) {
842 /* Finally the builtin ones */
844 status
= add_aliases(&global_sid_Builtin
, result
);
846 if (!NT_STATUS_IS_OK(status
)) {
854 if (session_info_flags
& AUTH_SESSION_INFO_NTLM
) {
855 struct dom_sid tmp_sid
= { 0, };
857 ok
= dom_sid_parse(SID_NT_NTLM_AUTHENTICATION
, &tmp_sid
);
859 return NT_STATUS_NO_MEMORY
;
862 status
= add_sid_to_array(result
,
866 if (!NT_STATUS_IS_OK(status
)) {
871 if (session_info_flags
& AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
) {
872 if (security_token_has_builtin_administrators(result
)) {
873 result
->privilege_mask
= ~0;
876 /* Add privileges based on current user sids */
877 get_privileges_for_sids(&result
->privilege_mask
, result
->sids
,
884 /****************************************************************************
885 prints a UNIX 'token' to debug output.
886 ****************************************************************************/
888 void debug_unix_user_token(int dbg_class
, int dbg_lev
, uid_t uid
, gid_t gid
,
889 int n_groups
, gid_t
*groups
)
892 DEBUGC(dbg_class
, dbg_lev
,
893 ("UNIX token of user %ld\n", (long int)uid
));
895 DEBUGADDC(dbg_class
, dbg_lev
,
896 ("Primary group is %ld and contains %i supplementary "
897 "groups\n", (long int)gid
, n_groups
));
898 for (i
= 0; i
< n_groups
; i
++)
899 DEBUGADDC(dbg_class
, dbg_lev
, ("Group[%3i]: %ld\n", i
,
900 (long int)groups
[i
]));
904 * Create an artificial NT token given just a domain SID.
908 * unmapped unix users: Go directly to nss to find the user's group.
910 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
912 * If the user is provided by winbind, the primary gid is set to "domain
913 * users" of the user's domain. For an explanation why this is necessary, see
914 * the thread starting at
915 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
918 static NTSTATUS
create_token_from_sid(TALLOC_CTX
*mem_ctx
,
919 const struct dom_sid
*user_sid
,
921 uid_t
*uid
, gid_t
*gid
,
922 char **found_username
,
923 struct security_token
**token
)
925 NTSTATUS result
= NT_STATUS_NO_SUCH_USER
;
926 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
928 struct dom_sid
*group_sids
;
929 struct dom_sid tmp_sid
;
930 uint32_t num_group_sids
;
935 struct dom_sid_buf buf
;
937 if (sid_check_is_in_our_sam(user_sid
)) {
939 uint32_t pdb_num_group_sids
;
940 /* This is a passdb user, so ask passdb */
942 struct samu
*sam_acct
= NULL
;
944 if ( !(sam_acct
= samu_new( tmp_ctx
)) ) {
945 result
= NT_STATUS_NO_MEMORY
;
950 ret
= pdb_getsampwsid(sam_acct
, user_sid
);
954 DEBUG(1, ("pdb_getsampwsid(%s) failed\n",
955 dom_sid_str_buf(user_sid
, &buf
)));
956 DEBUGADD(1, ("Fall back to unix user\n"));
960 result
= pdb_enum_group_memberships(tmp_ctx
, sam_acct
,
962 &pdb_num_group_sids
);
963 if (!NT_STATUS_IS_OK(result
)) {
964 DEBUG(1, ("enum_group_memberships failed for %s: "
966 dom_sid_str_buf(user_sid
, &buf
),
968 DEBUGADD(1, ("Fall back to unix uid lookup\n"));
971 num_group_sids
= pdb_num_group_sids
;
973 /* see the smb_panic() in pdb_default_enum_group_memberships */
974 SMB_ASSERT(num_group_sids
> 0);
976 /* Ensure we're returning the found_username on the right context. */
977 *found_username
= talloc_strdup(mem_ctx
,
978 pdb_get_username(sam_acct
));
980 if (*found_username
== NULL
) {
981 result
= NT_STATUS_NO_MEMORY
;
986 * If the SID from lookup_name() was the guest sid, passdb knows
987 * about the mapping of guest sid to lp_guest_account()
988 * username and will return the unix_pw info for a guest
989 * user. Use it if it's there, else lookup the *uid details
990 * using Get_Pwnam_alloc(). See bug #6291 for details. JRA.
993 /* We must always assign the *uid. */
994 if (sam_acct
->unix_pw
== NULL
) {
995 struct passwd
*pwd
= Get_Pwnam_alloc(sam_acct
, *found_username
);
997 DEBUG(10, ("Get_Pwnam_alloc failed for %s\n",
999 result
= NT_STATUS_NO_SUCH_USER
;
1002 result
= samu_set_unix(sam_acct
, pwd
);
1003 if (!NT_STATUS_IS_OK(result
)) {
1004 DEBUG(10, ("samu_set_unix failed for %s\n",
1006 result
= NT_STATUS_NO_SUCH_USER
;
1010 *uid
= sam_acct
->unix_pw
->pw_uid
;
1012 } else if (sid_check_is_in_unix_users(user_sid
)) {
1013 uint32_t getgroups_num_group_sids
;
1014 /* This is a unix user not in passdb. We need to ask nss
1015 * directly, without consulting passdb */
1017 struct passwd
*pass
;
1020 * This goto target is used as a fallback for the passdb
1021 * case. The concrete bug report is when passdb gave us an
1027 if (!sid_to_uid(user_sid
, uid
)) {
1028 DEBUG(1, ("unix_user case, sid_to_uid for %s failed\n",
1029 dom_sid_str_buf(user_sid
, &buf
)));
1030 result
= NT_STATUS_NO_SUCH_USER
;
1034 uid_to_unix_users_sid(*uid
, &tmp_sid
);
1035 user_sid
= &tmp_sid
;
1037 pass
= getpwuid_alloc(tmp_ctx
, *uid
);
1039 DEBUG(1, ("getpwuid(%u) failed\n",
1040 (unsigned int)*uid
));
1044 if (!getgroups_unix_user(tmp_ctx
, pass
->pw_name
, pass
->pw_gid
,
1045 &gids
, &getgroups_num_group_sids
)) {
1046 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
1050 num_group_sids
= getgroups_num_group_sids
;
1052 group_sids
= talloc_array(tmp_ctx
, struct dom_sid
, num_group_sids
);
1053 if (group_sids
== NULL
) {
1054 DEBUG(1, ("talloc_array failed\n"));
1055 result
= NT_STATUS_NO_MEMORY
;
1059 for (i
=0; i
<num_group_sids
; i
++) {
1060 gid_to_sid(&group_sids
[i
], gids
[i
]);
1063 /* In getgroups_unix_user we always set the primary gid */
1064 SMB_ASSERT(num_group_sids
> 0);
1066 /* Ensure we're returning the found_username on the right context. */
1067 *found_username
= talloc_strdup(mem_ctx
, pass
->pw_name
);
1068 if (*found_username
== NULL
) {
1069 result
= NT_STATUS_NO_MEMORY
;
1074 /* This user is from winbind, force the primary gid to the
1075 * user's "domain users" group. Under certain circumstances
1076 * (user comes from NT4), this might be a loss of
1077 * information. But we can not rely on winbind getting the
1078 * correct info. AD might prohibit winbind looking up that
1081 /* We must always assign the *uid. */
1082 if (!sid_to_uid(user_sid
, uid
)) {
1083 DEBUG(1, ("winbindd case, sid_to_uid for %s failed\n",
1084 dom_sid_str_buf(user_sid
, &buf
)));
1085 result
= NT_STATUS_NO_SUCH_USER
;
1090 group_sids
= talloc_array(tmp_ctx
, struct dom_sid
, num_group_sids
);
1091 if (group_sids
== NULL
) {
1092 DEBUG(1, ("talloc_array failed\n"));
1093 result
= NT_STATUS_NO_MEMORY
;
1097 gids
= talloc_array(tmp_ctx
, gid_t
, num_group_sids
);
1099 result
= NT_STATUS_NO_MEMORY
;
1103 sid_copy(&group_sids
[0], user_sid
);
1104 sid_split_rid(&group_sids
[0], NULL
);
1105 sid_append_rid(&group_sids
[0], DOMAIN_RID_USERS
);
1107 if (!sid_to_gid(&group_sids
[0], &gids
[0])) {
1108 DEBUG(1, ("sid_to_gid(%s) failed\n",
1109 dom_sid_str_buf(&group_sids
[0], &buf
)));
1113 *found_username
= NULL
;
1118 /* Add the "Unix Group" SID for each gid to catch mapped groups
1119 and their Unix equivalent. This is to solve the backwards
1120 compatibility problem of 'valid users = +ntadmin' where
1121 ntadmin has been paired with "Domain Admins" in the group
1122 mapping table. Otherwise smb.conf would need to be changed
1123 to 'valid user = "Domain Admins"'. --jerry */
1125 num_gids
= num_group_sids
;
1126 range_ok
= lp_idmap_default_range(&low
, &high
);
1127 for ( i
=0; i
<num_gids
; i
++ ) {
1128 struct dom_sid unix_group_sid
;
1130 /* don't pickup anything managed by Winbind */
1131 if (range_ok
&& (gids
[i
] >= low
) && (gids
[i
] <= high
)) {
1135 gid_to_unix_groups_sid(gids
[i
], &unix_group_sid
);
1137 result
= add_sid_to_array_unique(tmp_ctx
, &unix_group_sid
,
1138 &group_sids
, &num_group_sids
);
1139 if (!NT_STATUS_IS_OK(result
)) {
1144 /* Ensure we're creating the nt_token on the right context. */
1145 result
= create_local_nt_token(mem_ctx
, user_sid
,
1146 is_guest
, num_group_sids
, group_sids
, token
);
1148 if (!NT_STATUS_IS_OK(result
)) {
1152 result
= NT_STATUS_OK
;
1154 TALLOC_FREE(tmp_ctx
);
1159 * Create an artificial NT token given just a username. (Initially intended
1162 * We go through lookup_name() to avoid problems we had with 'winbind use
1167 * unmapped unix users: Go directly to nss to find the user's group.
1169 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
1171 * If the user is provided by winbind, the primary gid is set to "domain
1172 * users" of the user's domain. For an explanation why this is necessary, see
1173 * the thread starting at
1174 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
1177 NTSTATUS
create_token_from_username(TALLOC_CTX
*mem_ctx
, const char *username
,
1179 uid_t
*uid
, gid_t
*gid
,
1180 char **found_username
,
1181 struct security_token
**token
)
1183 NTSTATUS result
= NT_STATUS_NO_SUCH_USER
;
1184 TALLOC_CTX
*tmp_ctx
= talloc_stackframe();
1185 struct dom_sid user_sid
;
1186 enum lsa_SidType type
;
1188 if (!lookup_name_smbconf(tmp_ctx
, username
, LOOKUP_NAME_ALL
,
1189 NULL
, NULL
, &user_sid
, &type
)) {
1190 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username
));
1194 if (type
!= SID_NAME_USER
) {
1195 DEBUG(1, ("%s is a %s, not a user\n", username
,
1196 sid_type_lookup(type
)));
1200 result
= create_token_from_sid(mem_ctx
, &user_sid
, is_guest
, uid
, gid
, found_username
, token
);
1202 if (!NT_STATUS_IS_OK(result
)) {
1207 * If result == NT_STATUS_OK then
1208 * we know we have a valid token. Ensure
1209 * we also have a valid username to match.
1212 if (*found_username
== NULL
) {
1213 *found_username
= talloc_strdup(mem_ctx
, username
);
1214 if (*found_username
== NULL
) {
1215 result
= NT_STATUS_NO_MEMORY
;
1220 TALLOC_FREE(tmp_ctx
);
1224 /***************************************************************************
1225 Build upon create_token_from_sid:
1227 Expensive helper function to figure out whether a user given its sid is
1228 member of a particular group.
1229 ***************************************************************************/
1231 bool user_sid_in_group_sid(const struct dom_sid
*sid
, const struct dom_sid
*group_sid
)
1236 char *found_username
;
1237 struct security_token
*token
;
1238 bool result
= false;
1239 enum lsa_SidType type
;
1240 TALLOC_CTX
*mem_ctx
= talloc_stackframe();
1241 struct dom_sid_buf buf
;
1243 if (!lookup_sid(mem_ctx
, sid
,
1244 NULL
, NULL
, &type
)) {
1245 DEBUG(1, ("lookup_sid for %s failed\n",
1246 dom_sid_str_buf(sid
, &buf
)));
1250 if (type
!= SID_NAME_USER
) {
1251 DEBUG(5, ("%s is a %s, not a user\n",
1252 dom_sid_str_buf(sid
, &buf
),
1253 sid_type_lookup(type
)));
1257 status
= create_token_from_sid(mem_ctx
, sid
, False
,
1258 &uid
, &gid
, &found_username
,
1261 if (!NT_STATUS_IS_OK(status
)) {
1262 DEBUG(10, ("could not create token for %s\n",
1263 dom_sid_str_buf(sid
, &buf
)));
1267 result
= security_token_has_sid(token
, group_sid
);
1270 TALLOC_FREE(mem_ctx
);
1274 /***************************************************************************
1275 Build upon create_token_from_username:
1277 Expensive helper function to figure out whether a user given its name is
1278 member of a particular group.
1279 ***************************************************************************/
1281 bool user_in_group_sid(const char *username
, const struct dom_sid
*group_sid
)
1286 char *found_username
;
1287 struct security_token
*token
;
1289 TALLOC_CTX
*mem_ctx
= talloc_stackframe();
1291 status
= create_token_from_username(mem_ctx
, username
, False
,
1292 &uid
, &gid
, &found_username
,
1295 if (!NT_STATUS_IS_OK(status
)) {
1296 DEBUG(10, ("could not create token for %s\n", username
));
1297 TALLOC_FREE(mem_ctx
);
1301 result
= security_token_has_sid(token
, group_sid
);
1303 TALLOC_FREE(mem_ctx
);
1307 bool user_in_group(const char *username
, const char *groupname
)
1309 TALLOC_CTX
*mem_ctx
= talloc_stackframe();
1310 struct dom_sid group_sid
;
1313 ret
= lookup_name(mem_ctx
, groupname
, LOOKUP_NAME_ALL
,
1314 NULL
, NULL
, &group_sid
, NULL
);
1315 TALLOC_FREE(mem_ctx
);
1318 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname
));
1322 return user_in_group_sid(username
, &group_sid
);