search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
[Samba/bb.git] / source / passdb / lookup_sid.c
blob313a8c0a8b1600ef60f2e9f3fba2f27c5da24a79
1 /*
2 Unix SMB/CIFS implementation.
3 uid/user handling
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Gerald (Jerry) Carter 2003
6 Copyright (C) Volker Lendecke 2005
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23
24 /*****************************************************************
25 Dissect a user-provided name into domain, name, sid and type.
26
27 If an explicit domain name was given in the form domain\user, it
28 has to try that. If no explicit domain name was given, we have
29 to do guesswork.
30 *****************************************************************/
31
32 BOOL lookup_name(TALLOC_CTX *mem_ctx,
33 const char *full_name, int flags,
34 const char **ret_domain, const char **ret_name,
35 DOM_SID *ret_sid, enum lsa_SidType *ret_type)
36 {
37 char *p;
38 const char *tmp;
39 const char *domain = NULL;
40 const char *name = NULL;
41 uint32 rid;
42 DOM_SID sid;
43 enum lsa_SidType type;
44 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
45
46 if (tmp_ctx == NULL) {
47 DEBUG(0, ("talloc_new failed\n"));
48 return False;
49 }
50
51 p = strchr_m(full_name, '\\');
52
53 if (p != NULL) {
54 domain = talloc_strndup(tmp_ctx, full_name,
55 PTR_DIFF(p, full_name));
56 name = talloc_strdup(tmp_ctx, p+1);
57 } else {
58 domain = talloc_strdup(tmp_ctx, "");
59 name = talloc_strdup(tmp_ctx, full_name);
60 }
61
62 DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",
63 full_name, domain, name));
64
65 if ((domain == NULL) || (name == NULL)) {
66 DEBUG(0, ("talloc failed\n"));
67 TALLOC_FREE(tmp_ctx);
68 return False;
69 }
70
71 if (strequal(domain, get_global_sam_name())) {
72
73 /* It's our own domain, lookup the name in passdb */
74 if (lookup_global_sam_name(name, flags, &rid, &type)) {
75 sid_copy(&sid, get_global_sam_sid());
76 sid_append_rid(&sid, rid);
77 goto ok;
78 }
79 TALLOC_FREE(tmp_ctx);
80 return False;
81 }
82
83 if (strequal(domain, builtin_domain_name())) {
84
85 /* Explicit request for a name in BUILTIN */
86 if (lookup_builtin_name(name, &rid)) {
87 sid_copy(&sid, &global_sid_Builtin);
88 sid_append_rid(&sid, rid);
89 type = SID_NAME_ALIAS;
90 goto ok;
91 }
92 TALLOC_FREE(tmp_ctx);
93 return False;
94 }
95
96 /* Try the explicit winbind lookup first, don't let it guess the
97 * domain yet at this point yet. This comes later. */
98
99 if ((domain[0] != '\0') &&
100 (winbind_lookup_name(domain, name, &sid, &type))) {
101 goto ok;
102 }
103
104 if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_users_domain_name())) {
105 if (lookup_unix_user_name(name, &sid)) {
106 type = SID_NAME_USER;
107 goto ok;
108 }
109 TALLOC_FREE(tmp_ctx);
110 return False;
111 }
112
113 if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_groups_domain_name())) {
114 if (lookup_unix_group_name(name, &sid)) {
115 type = SID_NAME_DOM_GRP;
116 goto ok;
117 }
118 TALLOC_FREE(tmp_ctx);
119 return False;
120 }
121
122 if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
123 TALLOC_FREE(tmp_ctx);
124 return False;
125 }
126
127 /* Now the guesswork begins, we haven't been given an explicit
128 * domain. Try the sequence as documented on
129 * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
130 * November 27, 2005 */
131
132 /* 1. well-known names */
133
134 if (lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) {
135 type = SID_NAME_WKN_GRP;
136 goto ok;
137 }
138
139 /* 2. Builtin domain as such */
140
141 if (strequal(name, builtin_domain_name())) {
142 /* Swap domain and name */
143 tmp = name; name = domain; domain = tmp;
144 sid_copy(&sid, &global_sid_Builtin);
145 type = SID_NAME_DOMAIN;
146 goto ok;
147 }
148
149 /* 3. Account domain */
150
151 if (strequal(name, get_global_sam_name())) {
152 if (!secrets_fetch_domain_sid(name, &sid)) {
153 DEBUG(3, ("Could not fetch my SID\n"));
154 TALLOC_FREE(tmp_ctx);
155 return False;
156 }
157 /* Swap domain and name */
158 tmp = name; name = domain; domain = tmp;
159 type = SID_NAME_DOMAIN;
160 goto ok;
161 }
162
163 /* 4. Primary domain */
164
165 if (!IS_DC && strequal(name, lp_workgroup())) {
166 if (!secrets_fetch_domain_sid(name, &sid)) {
167 DEBUG(3, ("Could not fetch the domain SID\n"));
168 TALLOC_FREE(tmp_ctx);
169 return False;
170 }
171 /* Swap domain and name */
172 tmp = name; name = domain; domain = tmp;
173 type = SID_NAME_DOMAIN;
174 goto ok;
175 }
176
177 /* 5. Trusted domains as such, to me it looks as if members don't do
178 this, tested an XP workstation in a NT domain -- vl */
179
180 if (IS_DC && (pdb_get_trusteddom_pw(name, NULL, &sid, NULL))) {
181 /* Swap domain and name */
182 tmp = name; name = domain; domain = tmp;
183 type = SID_NAME_DOMAIN;
184 goto ok;
185 }
186
187 /* 6. Builtin aliases */
188
189 if (lookup_builtin_name(name, &rid)) {
190 domain = talloc_strdup(tmp_ctx, builtin_domain_name());
191 sid_copy(&sid, &global_sid_Builtin);
192 sid_append_rid(&sid, rid);
193 type = SID_NAME_ALIAS;
194 goto ok;
195 }
196
197 /* 7. Local systems' SAM (DCs don't have a local SAM) */
198 /* 8. Primary SAM (On members, this is the domain) */
199
200 /* Both cases are done by looking at our passdb */
201
202 if (lookup_global_sam_name(name, flags, &rid, &type)) {
203 domain = talloc_strdup(tmp_ctx, get_global_sam_name());
204 sid_copy(&sid, get_global_sam_sid());
205 sid_append_rid(&sid, rid);
206 goto ok;
207 }
208
209 /* Now our local possibilities are exhausted. */
210
211 if (!(flags & LOOKUP_NAME_REMOTE)) {
212 TALLOC_FREE(tmp_ctx);
213 return False;
214 }
215
216 /* If we are not a DC, we have to ask in our primary domain. Let
217 * winbind do that. */
218
219 if (!IS_DC &&
220 (winbind_lookup_name(lp_workgroup(), name, &sid, &type))) {
221 domain = talloc_strdup(tmp_ctx, lp_workgroup());
222 goto ok;
223 }
224
225 /* 9. Trusted domains */
226
227 /* If we're a DC we have to ask all trusted DC's. Winbind does not do
228 * that (yet), but give it a chance. */
229
230 if (IS_DC && winbind_lookup_name("", name, &sid, &type)) {
231 DOM_SID dom_sid;
232 uint32 tmp_rid;
233 enum lsa_SidType domain_type;
234
235 if (type == SID_NAME_DOMAIN) {
236 /* Swap name and type */
237 tmp = name; name = domain; domain = tmp;
238 goto ok;
239 }
240
241 /* Here we have to cope with a little deficiency in the
242 * winbind API: We have to ask it again for the name of the
243 * domain it figured out itself. Maybe fix that later... */
244
245 sid_copy(&dom_sid, &sid);
246 sid_split_rid(&dom_sid, &tmp_rid);
247
248 if (!winbind_lookup_sid(tmp_ctx, &dom_sid, &domain, NULL,
249 &domain_type) ||
250 (domain_type != SID_NAME_DOMAIN)) {
251 DEBUG(2, ("winbind could not find the domain's name "
252 "it just looked up for us\n"));
253 TALLOC_FREE(tmp_ctx);
254 return False;
255 }
256 goto ok;
257 }
258
259 /* 10. Don't translate */
260
261 /* 11. Ok, windows would end here. Samba has two more options:
262 Unmapped users and unmapped groups */
263
264 if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_user_name(name, &sid)) {
265 domain = talloc_strdup(tmp_ctx, unix_users_domain_name());
266 type = SID_NAME_USER;
267 goto ok;
268 }
269
270 if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_group_name(name, &sid)) {
271 domain = talloc_strdup(tmp_ctx, unix_groups_domain_name());
272 type = SID_NAME_DOM_GRP;
273 goto ok;
274 }
275
276 /*
277 * Ok, all possibilities tried. Fail.
278 */
279
280 TALLOC_FREE(tmp_ctx);
281 return False;
282
283 ok:
284 if ((domain == NULL) || (name == NULL)) {
285 DEBUG(0, ("talloc failed\n"));
286 TALLOC_FREE(tmp_ctx);
287 return False;
288 }
289
290 /*
291 * Hand over the results to the talloc context we've been given.
292 */
293
294 if ((ret_name != NULL) &&
295 !(*ret_name = talloc_strdup(mem_ctx, name))) {
296 DEBUG(0, ("talloc failed\n"));
297 TALLOC_FREE(tmp_ctx);
298 return False;
299 }
300
301 if (ret_domain != NULL) {
302 char *tmp_dom;
303 if (!(tmp_dom = talloc_strdup(mem_ctx, domain))) {
304 DEBUG(0, ("talloc failed\n"));
305 TALLOC_FREE(tmp_ctx);
306 return False;
307 }
308 strupper_m(tmp_dom);
309 *ret_domain = tmp_dom;
310 }
311
312 if (ret_sid != NULL) {
313 sid_copy(ret_sid, &sid);
314 }
315
316 if (ret_type != NULL) {
317 *ret_type = type;
318 }
319
320 TALLOC_FREE(tmp_ctx);
321 return True;
322 }
323
324 /************************************************************************
325 Names from smb.conf can be unqualified. eg. valid users = foo
326 These names should never map to a remote name. Try global_sam_name()\foo,
327 and then "Unix Users"\foo (or "Unix Groups"\foo).
328 ************************************************************************/
329
330 BOOL lookup_name_smbconf(TALLOC_CTX *mem_ctx,
331 const char *full_name, int flags,
332 const char **ret_domain, const char **ret_name,
333 DOM_SID *ret_sid, enum lsa_SidType *ret_type)
334 {
335 char *qualified_name;
336 const char *p;
337
338 /* NB. No winbindd_separator here as lookup_name needs \\' */
339 if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
340
341 /* The name is already qualified with a domain. */
342
343 if (*lp_winbind_separator() != '\\') {
344 char *tmp;
345
346 /* lookup_name() needs '\\' as a separator */
347
348 tmp = talloc_strdup(mem_ctx, full_name);
349 if (!tmp) {
350 return False;
351 }
352 tmp[p - full_name] = '\\';
353 full_name = tmp;
354 }
355
356 return lookup_name(mem_ctx, full_name, flags,
357 ret_domain, ret_name,
358 ret_sid, ret_type);
359 }
360
361 /* Try with our own SAM name. */
362 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
363 get_global_sam_name(),
364 full_name );
365 if (!qualified_name) {
366 return False;
367 }
368
369 if (lookup_name(mem_ctx, qualified_name, flags,
370 ret_domain, ret_name,
371 ret_sid, ret_type)) {
372 return True;
373 }
374
375 /* Finally try with "Unix Users" or "Unix Group" */
376 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
377 flags & LOOKUP_NAME_GROUP ?
378 unix_groups_domain_name() :
379 unix_users_domain_name(),
380 full_name );
381 if (!qualified_name) {
382 return False;
383 }
384
385 return lookup_name(mem_ctx, qualified_name, flags,
386 ret_domain, ret_name,
387 ret_sid, ret_type);
388 }
389
390 static BOOL wb_lookup_rids(TALLOC_CTX *mem_ctx,
391 const DOM_SID *domain_sid,
392 int num_rids, uint32 *rids,
393 const char **domain_name,
394 const char **names, enum lsa_SidType *types)
395 {
396 int i;
397 const char **my_names;
398 enum lsa_SidType *my_types;
399 TALLOC_CTX *tmp_ctx;
400
401 if (!(tmp_ctx = talloc_init("wb_lookup_rids"))) {
402 return False;
403 }
404
405 if (!winbind_lookup_rids(tmp_ctx, domain_sid, num_rids, rids,
406 domain_name, &my_names, &my_types)) {
407 *domain_name = "";
408 for (i=0; i<num_rids; i++) {
409 names[i] = "";
410 types[i] = SID_NAME_UNKNOWN;
411 }
412 TALLOC_FREE(tmp_ctx);
413 return True;
414 }
415
416 if (!(*domain_name = talloc_strdup(mem_ctx, *domain_name))) {
417 TALLOC_FREE(tmp_ctx);
418 return False;
419 }
420
421 /*
422 * winbind_lookup_rids allocates its own array. We've been given the
423 * array, so copy it over
424 */
425
426 for (i=0; i<num_rids; i++) {
427 if (my_names[i] == NULL) {
428 TALLOC_FREE(tmp_ctx);
429 return False;
430 }
431 if (!(names[i] = talloc_strdup(names, my_names[i]))) {
432 TALLOC_FREE(tmp_ctx);
433 return False;
434 }
435 types[i] = my_types[i];
436 }
437 TALLOC_FREE(tmp_ctx);
438 return True;
439 }
440
441 static BOOL lookup_rids(TALLOC_CTX *mem_ctx, const DOM_SID *domain_sid,
442 int num_rids, uint32_t *rids,
443 const char **domain_name,
444 const char ***names, enum lsa_SidType **types)
445 {
446 int i;
447
448 if (num_rids) {
449 *names = TALLOC_ARRAY(mem_ctx, const char *, num_rids);
450 *types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
451
452 if ((*names == NULL) || (*types == NULL)) {
453 return False;
454 }
455 } else {
456 *names = NULL;
457 *types = NULL;
458 }
459
460 if (sid_check_is_domain(domain_sid)) {
461 NTSTATUS result;
462
463 if (*domain_name == NULL) {
464 *domain_name = talloc_strdup(
465 mem_ctx, get_global_sam_name());
466 }
467
468 if (*domain_name == NULL) {
469 return False;
470 }
471
472 become_root();
473 result = pdb_lookup_rids(domain_sid, num_rids, rids,
474 *names, *types);
475 unbecome_root();
476
477 return (NT_STATUS_IS_OK(result) ||
478 NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) ||
479 NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED));
480 }
481
482 if (sid_check_is_builtin(domain_sid)) {
483
484 if (*domain_name == NULL) {
485 *domain_name = talloc_strdup(
486 mem_ctx, builtin_domain_name());
487 }
488
489 if (*domain_name == NULL) {
490 return False;
491 }
492
493 for (i=0; i<num_rids; i++) {
494 if (lookup_builtin_rid(*names, rids[i],
495 &(*names)[i])) {
496 if ((*names)[i] == NULL) {
497 return False;
498 }
499 (*types)[i] = SID_NAME_ALIAS;
500 } else {
501 (*types)[i] = SID_NAME_UNKNOWN;
502 }
503 }
504 return True;
505 }
506
507 if (sid_check_is_wellknown_domain(domain_sid, NULL)) {
508 for (i=0; i<num_rids; i++) {
509 DOM_SID sid;
510 sid_copy(&sid, domain_sid);
511 sid_append_rid(&sid, rids[i]);
512 if (lookup_wellknown_sid(mem_ctx, &sid,
513 domain_name, &(*names)[i])) {
514 if ((*names)[i] == NULL) {
515 return False;
516 }
517 (*types)[i] = SID_NAME_WKN_GRP;
518 } else {
519 (*types)[i] = SID_NAME_UNKNOWN;
520 }
521 }
522 return True;
523 }
524
525 if (sid_check_is_unix_users(domain_sid)) {
526 if (*domain_name == NULL) {
527 *domain_name = talloc_strdup(
528 mem_ctx, unix_users_domain_name());
529 }
530 for (i=0; i<num_rids; i++) {
531 (*names)[i] = talloc_strdup(
532 (*names), uidtoname(rids[i]));
533 (*types)[i] = SID_NAME_USER;
534 }
535 return True;
536 }
537
538 if (sid_check_is_unix_groups(domain_sid)) {
539 if (*domain_name == NULL) {
540 *domain_name = talloc_strdup(
541 mem_ctx, unix_groups_domain_name());
542 }
543 for (i=0; i<num_rids; i++) {
544 (*names)[i] = talloc_strdup(
545 (*names), gidtoname(rids[i]));
546 (*types)[i] = SID_NAME_DOM_GRP;
547 }
548 return True;
549 }
550
551 return wb_lookup_rids(mem_ctx, domain_sid, num_rids, rids,
552 domain_name, *names, *types);
553 }
554
555 /*
556 * Is the SID a domain as such? If yes, lookup its name.
557 */
558
559 static BOOL lookup_as_domain(const DOM_SID *sid, TALLOC_CTX *mem_ctx,
560 const char **name)
561 {
562 const char *tmp;
563 enum lsa_SidType type;
564
565 if (sid_check_is_domain(sid)) {
566 *name = talloc_strdup(mem_ctx, get_global_sam_name());
567 return True;
568 }
569
570 if (sid_check_is_builtin(sid)) {
571 *name = talloc_strdup(mem_ctx, builtin_domain_name());
572 return True;
573 }
574
575 if (sid_check_is_wellknown_domain(sid, &tmp)) {
576 *name = talloc_strdup(mem_ctx, tmp);
577 return True;
578 }
579
580 if (sid->num_auths != 4) {
581 /* This can't be a domain */
582 return False;
583 }
584
585 if (IS_DC) {
586 uint32 i, num_domains;
587 struct trustdom_info **domains;
588
589 /* This is relatively expensive, but it happens only on DCs
590 * and for SIDs that have 4 sub-authorities and thus look like
591 * domains */
592
593 if (!NT_STATUS_IS_OK(pdb_enum_trusteddoms(mem_ctx,
594 &num_domains,
595 &domains))) {
596 return False;
597 }
598
599 for (i=0; i<num_domains; i++) {
600 if (sid_equal(sid, &domains[i]->sid)) {
601 *name = talloc_strdup(mem_ctx,
602 domains[i]->name);
603 return True;
604 }
605 }
606 return False;
607 }
608
609 if (winbind_lookup_sid(mem_ctx, sid, &tmp, NULL, &type) &&
610 (type == SID_NAME_DOMAIN)) {
611 *name = tmp;
612 return True;
613 }
614
615 return False;
616 }
617
618 /*
619 * This tries to implement the rather weird rules for the lsa_lookup level
620 * parameter.
621 *
622 * This is as close as we can get to what W2k3 does. With this we survive the
623 * RPC-LSALOOKUP samba4 test as of 2006-01-08. NT4 as a PDC is a bit more
624 * different, but I assume that's just being too liberal. For example, W2k3
625 * replies to everything else but the levels 1-6 with INVALID_PARAMETER
626 * whereas NT4 does the same as level 1 (I think). I did not fully test that
627 * with NT4, this is what w2k3 does.
628 *
629 * Level 1: Ask everywhere
630 * Level 2: Ask domain and trusted domains, no builtin and wkn
631 * Level 3: Only ask domain
632 * Level 4: W2k3ad: Only ask AD trusts
633 * Level 5: Only ask transitive forest trusts
634 * Level 6: Like 4
635 */
636
637 static BOOL check_dom_sid_to_level(const DOM_SID *sid, int level)
638 {
639 int ret = False;
640
641 switch(level) {
642 case 1:
643 ret = True;
644 break;
645 case 2:
646 ret = (!sid_check_is_builtin(sid) &&
647 !sid_check_is_wellknown_domain(sid, NULL));
648 break;
649 case 3:
650 case 4:
651 case 6:
652 ret = sid_check_is_domain(sid);
653 break;
654 case 5:
655 ret = False;
656 break;
657 }
658
659 DEBUG(10, ("%s SID %s in level %d\n",
660 ret ? "Accepting" : "Rejecting",
661 sid_string_static(sid), level));
662 return ret;
663 }
664
665 /*
666 * Lookup a bunch of SIDs. This is modeled after lsa_lookup_sids with
667 * references to domains, it is explicitly made for this.
668 *
669 * This attempts to be as efficient as possible: It collects all SIDs
670 * belonging to a domain and hands them in bulk to the appropriate lookup
671 * function. In particular pdb_lookup_rids with ldapsam_trusted benefits
672 * *hugely* from this. Winbind is going to be extended with a lookup_rids
673 * interface as well, so on a DC we can do a bulk lsa_lookuprids to the
674 * appropriate DC.
675 */
676
677 NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids,
678 const DOM_SID **sids, int level,
679 struct lsa_dom_info **ret_domains,
680 struct lsa_name_info **ret_names)
681 {
682 TALLOC_CTX *tmp_ctx;
683 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
684 struct lsa_name_info *name_infos;
685 struct lsa_dom_info *dom_infos = NULL;
686
687 int i, j;
688
689 if (!(tmp_ctx = talloc_new(mem_ctx))) {
690 DEBUG(0, ("talloc_new failed\n"));
691 return NT_STATUS_NO_MEMORY;
692 }
693
694 if (num_sids) {
695 name_infos = TALLOC_ARRAY(mem_ctx, struct lsa_name_info, num_sids);
696 if (name_infos == NULL) {
697 result = NT_STATUS_NO_MEMORY;
698 goto fail;
699 }
700 } else {
701 name_infos = NULL;
702 }
703
704 dom_infos = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_dom_info,
705 MAX_REF_DOMAINS);
706 if (dom_infos == NULL) {
707 result = NT_STATUS_NO_MEMORY;
708 goto fail;
709 }
710
711 /* First build up the data structures:
712 *
713 * dom_infos is a list of domains referenced in the list of
714 * SIDs. Later we will walk the list of domains and look up the RIDs
715 * in bulk.
716 *
717 * name_infos is a shadow-copy of the SIDs array to collect the real
718 * data.
719 *
720 * dom_info->idxs is an index into the name_infos array. The
721 * difficulty we have here is that we need to keep the SIDs the client
722 * asked for in the same order for the reply
723 */
724
725 for (i=0; i<num_sids; i++) {
726 DOM_SID sid;
727 uint32 rid;
728 const char *domain_name = NULL;
729
730 sid_copy(&sid, sids[i]);
731 name_infos[i].type = SID_NAME_USE_NONE;
732
733 if (lookup_as_domain(&sid, name_infos, &domain_name)) {
734 /* We can't push that through the normal lookup
735 * process, as this would reference illegal
736 * domains.
737 *
738 * For example S-1-5-32 would end up referencing
739 * domain S-1-5- with RID 32 which is clearly wrong.
740 */
741 if (domain_name == NULL) {
742 result = NT_STATUS_NO_MEMORY;
743 goto fail;
744 }
745
746 name_infos[i].rid = 0;
747 name_infos[i].type = SID_NAME_DOMAIN;
748 name_infos[i].name = NULL;
749
750 if (sid_check_is_builtin(&sid)) {
751 /* Yes, W2k3 returns "BUILTIN" both as domain
752 * and name here */
753 name_infos[i].name = talloc_strdup(
754 name_infos, builtin_domain_name());
755 if (name_infos[i].name == NULL) {
756 result = NT_STATUS_NO_MEMORY;
757 goto fail;
758 }
759 }
760 } else {
761 /* This is a normal SID with rid component */
762 if (!sid_split_rid(&sid, &rid)) {
763 result = NT_STATUS_INVALID_PARAMETER;
764 goto fail;
765 }
766 }
767
768 if (!check_dom_sid_to_level(&sid, level)) {
769 name_infos[i].rid = 0;
770 name_infos[i].type = SID_NAME_UNKNOWN;
771 name_infos[i].name = NULL;
772 continue;
773 }
774
775 for (j=0; j<MAX_REF_DOMAINS; j++) {
776 if (!dom_infos[j].valid) {
777 break;
778 }
779 if (sid_equal(&sid, &dom_infos[j].sid)) {
780 break;
781 }
782 }
783
784 if (j == MAX_REF_DOMAINS) {
785 /* TODO: What's the right error message here? */
786 result = NT_STATUS_NONE_MAPPED;
787 goto fail;
788 }
789
790 if (!dom_infos[j].valid) {
791 /* We found a domain not yet referenced, create a new
792 * ref. */
793 dom_infos[j].valid = True;
794 sid_copy(&dom_infos[j].sid, &sid);
795
796 if (domain_name != NULL) {
797 /* This name was being found above in the case
798 * when we found a domain SID */
799 dom_infos[j].name =
800 talloc_strdup(dom_infos, domain_name);
801 if (dom_infos[j].name == NULL) {
802 result = NT_STATUS_NO_MEMORY;
803 goto fail;
804 }
805 } else {
806 /* lookup_rids will take care of this */
807 dom_infos[j].name = NULL;
808 }
809 }
810
811 name_infos[i].dom_idx = j;
812
813 if (name_infos[i].type == SID_NAME_USE_NONE) {
814 name_infos[i].rid = rid;
815
816 ADD_TO_ARRAY(dom_infos, int, i, &dom_infos[j].idxs,
817 &dom_infos[j].num_idxs);
818
819 if (dom_infos[j].idxs == NULL) {
820 result = NT_STATUS_NO_MEMORY;
821 goto fail;
822 }
823 }
824 }
825
826 /* Iterate over the domains found */
827
828 for (i=0; i<MAX_REF_DOMAINS; i++) {
829 uint32_t *rids;
830 const char *domain_name = NULL;
831 const char **names;
832 enum lsa_SidType *types;
833 struct lsa_dom_info *dom = &dom_infos[i];
834
835 if (!dom->valid) {
836 /* No domains left, we're done */
837 break;
838 }
839
840 if (dom->num_idxs) {
841 if (!(rids = TALLOC_ARRAY(tmp_ctx, uint32, dom->num_idxs))) {
842 result = NT_STATUS_NO_MEMORY;
843 goto fail;
844 }
845 } else {
846 rids = NULL;
847 }
848
849 for (j=0; j<dom->num_idxs; j++) {
850 rids[j] = name_infos[dom->idxs[j]].rid;
851 }
852
853 if (!lookup_rids(tmp_ctx, &dom->sid,
854 dom->num_idxs, rids, &domain_name,
855 &names, &types)) {
856 result = NT_STATUS_NO_MEMORY;
857 goto fail;
858 }
859
860 if (!(dom->name = talloc_strdup(dom_infos, domain_name))) {
861 result = NT_STATUS_NO_MEMORY;
862 goto fail;
863 }
864
865 for (j=0; j<dom->num_idxs; j++) {
866 int idx = dom->idxs[j];
867 name_infos[idx].type = types[j];
868 if (types[j] != SID_NAME_UNKNOWN) {
869 name_infos[idx].name =
870 talloc_strdup(name_infos, names[j]);
871 if (name_infos[idx].name == NULL) {
872 result = NT_STATUS_NO_MEMORY;
873 goto fail;
874 }
875 } else {
876 name_infos[idx].name = NULL;
877 }
878 }
879 }
880
881 *ret_domains = dom_infos;
882 *ret_names = name_infos;
883 return NT_STATUS_OK;
884
885 fail:
886 TALLOC_FREE(dom_infos);
887 TALLOC_FREE(name_infos);
888 TALLOC_FREE(tmp_ctx);
889 return result;
890 }
891
892 /*****************************************************************
893 *THE CANONICAL* convert SID to name function.
894 *****************************************************************/
895
896 BOOL lookup_sid(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
897 const char **ret_domain, const char **ret_name,
898 enum lsa_SidType *ret_type)
899 {
900 struct lsa_dom_info *domain;
901 struct lsa_name_info *name;
902 TALLOC_CTX *tmp_ctx;
903 BOOL ret = False;
904
905 if (!(tmp_ctx = talloc_new(mem_ctx))) {
906 DEBUG(0, ("talloc_new failed\n"));
907 return False;
908 }
909
910 if (!NT_STATUS_IS_OK(lookup_sids(tmp_ctx, 1, &sid, 1,
911 &domain, &name))) {
912 goto done;
913 }
914
915 if (name->type == SID_NAME_UNKNOWN) {
916 goto done;
917 }
918
919 if ((ret_domain != NULL) &&
920 !(*ret_domain = talloc_strdup(mem_ctx, domain->name))) {
921 goto done;
922 }
923
924 if ((ret_name != NULL) &&
925 !(*ret_name = talloc_strdup(mem_ctx, name->name))) {
926 goto done;
927 }
928
929 if (ret_type != NULL) {
930 *ret_type = name->type;
931 }
932
933 ret = True;
934
935 done:
936 if (ret) {
937 DEBUG(10, ("Sid %s -> %s\\%s(%d)\n",
938 sid_string_static(sid), domain->name,
939 name->name, name->type));
940 } else {
941 DEBUG(10, ("failed to lookup sid %s\n",
942 sid_string_static(sid)));
943 }
944 TALLOC_FREE(tmp_ctx);
945 return ret;
946 }
947
948 /*****************************************************************
949 Id mapping cache. This is to avoid Winbind mappings already
950 seen by smbd to be queried too frequently, keeping winbindd
951 busy, and blocking smbd while winbindd is busy with other
952 stuff. Written by Michael Steffens <michael.steffens@hp.com>,
953 modified to use linked lists by jra.
954 *****************************************************************/
955
956 #define MAX_UID_SID_CACHE_SIZE 100
957 #define TURNOVER_UID_SID_CACHE_SIZE 10
958 #define MAX_GID_SID_CACHE_SIZE 100
959 #define TURNOVER_GID_SID_CACHE_SIZE 10
960
961 static size_t n_uid_sid_cache = 0;
962 static size_t n_gid_sid_cache = 0;
963
964 static struct uid_sid_cache {
965 struct uid_sid_cache *next, *prev;
966 uid_t uid;
967 DOM_SID sid;
968 enum lsa_SidType sidtype;
969 } *uid_sid_cache_head;
970
971 static struct gid_sid_cache {
972 struct gid_sid_cache *next, *prev;
973 gid_t gid;
974 DOM_SID sid;
975 enum lsa_SidType sidtype;
976 } *gid_sid_cache_head;
977
978 /*****************************************************************
979 Find a SID given a uid.
980 *****************************************************************/
981
982 static BOOL fetch_sid_from_uid_cache(DOM_SID *psid, uid_t uid)
983 {
984 struct uid_sid_cache *pc;
985
986 for (pc = uid_sid_cache_head; pc; pc = pc->next) {
987 if (pc->uid == uid) {
988 *psid = pc->sid;
989 DEBUG(3,("fetch sid from uid cache %u -> %s\n",
990 (unsigned int)uid, sid_string_static(psid)));
991 DLIST_PROMOTE(uid_sid_cache_head, pc);
992 return True;
993 }
994 }
995 return False;
996 }
997
998 /*****************************************************************
999 Find a uid given a SID.
1000 *****************************************************************/
1001
1002 static BOOL fetch_uid_from_cache( uid_t *puid, const DOM_SID *psid )
1003 {
1004 struct uid_sid_cache *pc;
1005
1006 for (pc = uid_sid_cache_head; pc; pc = pc->next) {
1007 if (sid_compare(&pc->sid, psid) == 0) {
1008 *puid = pc->uid;
1009 DEBUG(3,("fetch uid from cache %u -> %s\n",
1010 (unsigned int)*puid, sid_string_static(psid)));
1011 DLIST_PROMOTE(uid_sid_cache_head, pc);
1012 return True;
1013 }
1014 }
1015 return False;
1016 }
1017
1018 /*****************************************************************
1019 Store uid to SID mapping in cache.
1020 *****************************************************************/
1021
1022 void store_uid_sid_cache(const DOM_SID *psid, uid_t uid)
1023 {
1024 struct uid_sid_cache *pc;
1025
1026 /* do not store SIDs in the "Unix Group" domain */
1027
1028 if ( sid_check_is_in_unix_users( psid ) )
1029 return;
1030
1031 if (n_uid_sid_cache >= MAX_UID_SID_CACHE_SIZE && n_uid_sid_cache > TURNOVER_UID_SID_CACHE_SIZE) {
1032 /* Delete the last TURNOVER_UID_SID_CACHE_SIZE entries. */
1033 struct uid_sid_cache *pc_next;
1034 size_t i;
1035
1036 for (i = 0, pc = uid_sid_cache_head; i < (n_uid_sid_cache - TURNOVER_UID_SID_CACHE_SIZE); i++, pc = pc->next)
1037 ;
1038 for(; pc; pc = pc_next) {
1039 pc_next = pc->next;
1040 DLIST_REMOVE(uid_sid_cache_head,pc);
1041 SAFE_FREE(pc);
1042 n_uid_sid_cache--;
1043 }
1044 }
1045
1046 pc = SMB_MALLOC_P(struct uid_sid_cache);
1047 if (!pc)
1048 return;
1049 pc->uid = uid;
1050 sid_copy(&pc->sid, psid);
1051 DLIST_ADD(uid_sid_cache_head, pc);
1052 n_uid_sid_cache++;
1053 }
1054
1055 /*****************************************************************
1056 Find a SID given a gid.
1057 *****************************************************************/
1058
1059 static BOOL fetch_sid_from_gid_cache(DOM_SID *psid, gid_t gid)
1060 {
1061 struct gid_sid_cache *pc;
1062
1063 for (pc = gid_sid_cache_head; pc; pc = pc->next) {
1064 if (pc->gid == gid) {
1065 *psid = pc->sid;
1066 DEBUG(3,("fetch sid from gid cache %u -> %s\n",
1067 (unsigned int)gid, sid_string_static(psid)));
1068 DLIST_PROMOTE(gid_sid_cache_head, pc);
1069 return True;
1070 }
1071 }
1072 return False;
1073 }
1074
1075 /*****************************************************************
1076 Find a gid given a SID.
1077 *****************************************************************/
1078
1079 static BOOL fetch_gid_from_cache(gid_t *pgid, const DOM_SID *psid)
1080 {
1081 struct gid_sid_cache *pc;
1082
1083 for (pc = gid_sid_cache_head; pc; pc = pc->next) {
1084 if (sid_compare(&pc->sid, psid) == 0) {
1085 *pgid = pc->gid;
1086 DEBUG(3,("fetch gid from cache %u -> %s\n",
1087 (unsigned int)*pgid, sid_string_static(psid)));
1088 DLIST_PROMOTE(gid_sid_cache_head, pc);
1089 return True;
1090 }
1091 }
1092 return False;
1093 }
1094
1095 /*****************************************************************
1096 Store gid to SID mapping in cache.
1097 *****************************************************************/
1098
1099 void store_gid_sid_cache(const DOM_SID *psid, gid_t gid)
1100 {
1101 struct gid_sid_cache *pc;
1102
1103 /* do not store SIDs in the "Unix Group" domain */
1104
1105 if ( sid_check_is_in_unix_groups( psid ) )
1106 return;
1107
1108 if (n_gid_sid_cache >= MAX_GID_SID_CACHE_SIZE && n_gid_sid_cache > TURNOVER_GID_SID_CACHE_SIZE) {
1109 /* Delete the last TURNOVER_GID_SID_CACHE_SIZE entries. */
1110 struct gid_sid_cache *pc_next;
1111 size_t i;
1112
1113 for (i = 0, pc = gid_sid_cache_head; i < (n_gid_sid_cache - TURNOVER_GID_SID_CACHE_SIZE); i++, pc = pc->next)
1114 ;
1115 for(; pc; pc = pc_next) {
1116 pc_next = pc->next;
1117 DLIST_REMOVE(gid_sid_cache_head,pc);
1118 SAFE_FREE(pc);
1119 n_gid_sid_cache--;
1120 }
1121 }
1122
1123 pc = SMB_MALLOC_P(struct gid_sid_cache);
1124 if (!pc)
1125 return;
1126 pc->gid = gid;
1127 sid_copy(&pc->sid, psid);
1128 DLIST_ADD(gid_sid_cache_head, pc);
1129
1130 DEBUG(3,("store_gid_sid_cache: gid %u in cache -> %s\n", (unsigned int)gid,
1131 sid_string_static(psid)));
1132
1133 n_gid_sid_cache++;
1134 }
1135
1136 /*****************************************************************
1137 *THE LEGACY* convert uid_t to SID function.
1138 *****************************************************************/
1139
1140 static void legacy_uid_to_sid(DOM_SID *psid, uid_t uid)
1141 {
1142 uint32 rid;
1143 BOOL ret;
1144
1145 ZERO_STRUCTP(psid);
1146
1147 become_root();
1148 ret = pdb_uid_to_rid(uid, &rid);
1149 unbecome_root();
1150
1151 if (ret) {
1152 /* This is a mapped user */
1153 sid_copy(psid, get_global_sam_sid());
1154 sid_append_rid(psid, rid);
1155 goto done;
1156 }
1157
1158 /* This is an unmapped user */
1159
1160 uid_to_unix_users_sid(uid, psid);
1161
1162 done:
1163 DEBUG(10,("LEGACY: uid %u -> sid %s\n", (unsigned int)uid,
1164 sid_string_static(psid)));
1165
1166 store_uid_sid_cache(psid, uid);
1167 return;
1168 }
1169
1170 /*****************************************************************
1171 *THE LEGACY* convert gid_t to SID function.
1172 *****************************************************************/
1173
1174 static void legacy_gid_to_sid(DOM_SID *psid, gid_t gid)
1175 {
1176 BOOL ret;
1177
1178 ZERO_STRUCTP(psid);
1179
1180 become_root();
1181 ret = pdb_gid_to_sid(gid, psid);
1182 unbecome_root();
1183
1184 if (ret) {
1185 /* This is a mapped group */
1186 goto done;
1187 }
1188
1189 /* This is an unmapped group */
1190
1191 gid_to_unix_groups_sid(gid, psid);
1192
1193 done:
1194 DEBUG(10,("LEGACY: gid %u -> sid %s\n", (unsigned int)gid,
1195 sid_string_static(psid)));
1196
1197 store_gid_sid_cache(psid, gid);
1198 return;
1199 }
1200
1201 /*****************************************************************
1202 *THE LEGACY* convert SID to uid function.
1203 *****************************************************************/
1204
1205 static BOOL legacy_sid_to_uid(const DOM_SID *psid, uid_t *puid)
1206 {
1207 enum lsa_SidType type;
1208 uint32 rid;
1209
1210 if (sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
1211 union unid_t id;
1212 BOOL ret;
1213
1214 become_root();
1215 ret = pdb_sid_to_id(psid, &id, &type);
1216 unbecome_root();
1217
1218 if (ret) {
1219 if (type != SID_NAME_USER) {
1220 DEBUG(5, ("sid %s is a %s, expected a user\n",
1221 sid_string_static(psid),
1222 sid_type_lookup(type)));
1223 return False;
1224 }
1225 *puid = id.uid;
1226 goto done;
1227 }
1228
1229 /* This was ours, but it was not mapped. Fail */
1230 }
1231
1232 DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid)));
1233 return False;
1234
1235 done:
1236 DEBUG(10,("LEGACY: sid %s -> uid %u\n", sid_string_static(psid),
1237 (unsigned int)*puid ));
1238
1239 store_uid_sid_cache(psid, *puid);
1240 return True;
1241 }
1242
1243 /*****************************************************************
1244 *THE LEGACY* convert SID to gid function.
1245 Group mapping is used for gids that maps to Wellknown SIDs
1246 *****************************************************************/
1247
1248 static BOOL legacy_sid_to_gid(const DOM_SID *psid, gid_t *pgid)
1249 {
1250 uint32 rid;
1251 GROUP_MAP map;
1252 union unid_t id;
1253 enum lsa_SidType type;
1254
1255 if ((sid_check_is_in_builtin(psid) ||
1256 sid_check_is_in_wellknown_domain(psid))) {
1257 BOOL ret;
1258
1259 become_root();
1260 ret = pdb_getgrsid(&map, *psid);
1261 unbecome_root();
1262
1263 if (ret) {
1264 *pgid = map.gid;
1265 goto done;
1266 }
1267 DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid)));
1268 return False;
1269 }
1270
1271 if (sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
1272 BOOL ret;
1273
1274 become_root();
1275 ret = pdb_sid_to_id(psid, &id, &type);
1276 unbecome_root();
1277
1278 if (ret) {
1279 if ((type != SID_NAME_DOM_GRP) &&
1280 (type != SID_NAME_ALIAS)) {
1281 DEBUG(5, ("LEGACY: sid %s is a %s, expected a group\n",
1282 sid_string_static(psid),
1283 sid_type_lookup(type)));
1284 return False;
1285 }
1286 *pgid = id.gid;
1287 goto done;
1288 }
1289
1290 /* This was ours, but it was not mapped. Fail */
1291 }
1292
1293 DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid)));
1294 return False;
1295
1296 done:
1297 DEBUG(10,("LEGACY: sid %s -> gid %u\n", sid_string_static(psid),
1298 (unsigned int)*pgid ));
1299
1300 store_gid_sid_cache(psid, *pgid);
1301
1302 return True;
1303 }
1304
1305 /*****************************************************************
1306 *THE CANONICAL* convert uid_t to SID function.
1307 *****************************************************************/
1308
1309 void uid_to_sid(DOM_SID *psid, uid_t uid)
1310 {
1311 ZERO_STRUCTP(psid);
1312
1313 if (fetch_sid_from_uid_cache(psid, uid))
1314 return;
1315
1316 if (!winbind_uid_to_sid(psid, uid)) {
1317 if (!winbind_ping()) {
1318 legacy_uid_to_sid(psid, uid);
1319 return;
1320 }
1321
1322 DEBUG(5, ("uid_to_sid: winbind failed to find a sid for uid %u\n",
1323 uid));
1324 return;
1325 }
1326
1327 DEBUG(10,("uid %u -> sid %s\n",
1328 (unsigned int)uid, sid_string_static(psid)));
1329
1330 store_uid_sid_cache(psid, uid);
1331 return;
1332 }
1333
1334 /*****************************************************************
1335 *THE CANONICAL* convert gid_t to SID function.
1336 *****************************************************************/
1337
1338 void gid_to_sid(DOM_SID *psid, gid_t gid)
1339 {
1340 ZERO_STRUCTP(psid);
1341
1342 if (fetch_sid_from_gid_cache(psid, gid))
1343 return;
1344
1345 if (!winbind_gid_to_sid(psid, gid)) {
1346 if (!winbind_ping()) {
1347 legacy_gid_to_sid(psid, gid);
1348 return;
1349 }
1350
1351 DEBUG(5, ("gid_to_sid: winbind failed to find a sid for gid %u\n",
1352 gid));
1353 return;
1354 }
1355
1356 DEBUG(10,("gid %u -> sid %s\n",
1357 (unsigned int)gid, sid_string_static(psid)));
1358
1359 store_gid_sid_cache(psid, gid);
1360 return;
1361 }
1362
1363 /*****************************************************************
1364 *THE CANONICAL* convert SID to uid function.
1365 *****************************************************************/
1366
1367 BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid)
1368 {
1369 uint32 rid;
1370 gid_t gid;
1371
1372 if (fetch_uid_from_cache(puid, psid))
1373 return True;
1374
1375 if (fetch_gid_from_cache(&gid, psid)) {
1376 return False;
1377 }
1378
1379 /* Optimize for the Unix Users Domain
1380 * as the conversion is straightforward */
1381 if (sid_peek_check_rid(&global_sid_Unix_Users, psid, &rid)) {
1382 uid_t uid = rid;
1383 *puid = uid;
1384
1385 /* return here, don't cache */
1386 DEBUG(10,("sid %s -> uid %u\n", sid_string_static(psid),
1387 (unsigned int)*puid ));
1388 return True;
1389 }
1390
1391 if (!winbind_sid_to_uid(puid, psid)) {
1392 if (!winbind_ping()) {
1393 return legacy_sid_to_uid(psid, puid);
1394 }
1395
1396 DEBUG(5, ("winbind failed to find a uid for sid %s\n",
1397 sid_string_static(psid)));
1398 return False;
1399 }
1400
1401 /* TODO: Here would be the place to allocate both a gid and a uid for
1402 * the SID in question */
1403
1404 DEBUG(10,("sid %s -> uid %u\n", sid_string_static(psid),
1405 (unsigned int)*puid ));
1406
1407 store_uid_sid_cache(psid, *puid);
1408 return True;
1409 }
1410
1411 /*****************************************************************
1412 *THE CANONICAL* convert SID to gid function.
1413 Group mapping is used for gids that maps to Wellknown SIDs
1414 *****************************************************************/
1415
1416 BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid)
1417 {
1418 uint32 rid;
1419 uid_t uid;
1420
1421 if (fetch_gid_from_cache(pgid, psid))
1422 return True;
1423
1424 if (fetch_uid_from_cache(&uid, psid))
1425 return False;
1426
1427 /* Optimize for the Unix Groups Domain
1428 * as the conversion is straightforward */
1429 if (sid_peek_check_rid(&global_sid_Unix_Groups, psid, &rid)) {
1430 gid_t gid = rid;
1431 *pgid = gid;
1432
1433 /* return here, don't cache */
1434 DEBUG(10,("sid %s -> gid %u\n", sid_string_static(psid),
1435 (unsigned int)*pgid ));
1436 return True;
1437 }
1438
1439 /* Ask winbindd if it can map this sid to a gid.
1440 * (Idmap will check it is a valid SID and of the right type) */
1441
1442 if ( !winbind_sid_to_gid(pgid, psid) ) {
1443 if (!winbind_ping()) {
1444 return legacy_sid_to_gid(psid, pgid);
1445 }
1446
1447 DEBUG(10,("winbind failed to find a gid for sid %s\n",
1448 sid_string_static(psid)));
1449 return False;
1450 }
1451
1452 DEBUG(10,("sid %s -> gid %u\n", sid_string_static(psid),
1453 (unsigned int)*pgid ));
1454
1455 store_gid_sid_cache(psid, *pgid);
1456
1457 return True;
1458 }
1459