search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r294: checking in volker's winbindd patches; tested on domain members (Samba and...
[Samba/ekacnet.git] / source / nsswitch / winbindd_sid.c
blob61da9b3d92f097050d0db9e3898800018fa8ebc3
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - sid related functions
5
6 Copyright (C) Tim Potter 2000
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "winbindd.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_WINBIND
28
29 /* Convert a string */
30
31 enum winbindd_result winbindd_lookupsid(struct winbindd_cli_state *state)
32 {
33 enum SID_NAME_USE type;
34 DOM_SID sid;
35 fstring name;
36 fstring dom_name;
37
38 /* Ensure null termination */
39 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
40
41 DEBUG(3, ("[%5lu]: lookupsid %s\n", (unsigned long)state->pid,
42 state->request.data.sid));
43
44 /* Lookup sid from PDC using lsa_lookup_sids() */
45
46 if (!string_to_sid(&sid, state->request.data.sid)) {
47 DEBUG(5, ("%s not a SID\n", state->request.data.sid));
48 return WINBINDD_ERROR;
49 }
50
51 /* Lookup the sid */
52
53 if (!winbindd_lookup_name_by_sid(&sid, dom_name, name, &type)) {
54 return WINBINDD_ERROR;
55 }
56
57 fstrcpy(state->response.data.name.dom_name, dom_name);
58 fstrcpy(state->response.data.name.name, name);
59
60 state->response.data.name.type = type;
61
62 return WINBINDD_OK;
63 }
64
65
66 /**
67 * Look up the SID for a qualified name.
68 **/
69 enum winbindd_result winbindd_lookupname(struct winbindd_cli_state *state)
70 {
71 enum SID_NAME_USE type;
72 fstring sid_str;
73 char *name_domain, *name_user;
74 DOM_SID sid;
75 struct winbindd_domain *domain;
76 char *p;
77
78 /* Ensure null termination */
79 state->request.data.sid[sizeof(state->request.data.name.dom_name)-1]='\0';
80
81 /* Ensure null termination */
82 state->request.data.sid[sizeof(state->request.data.name.name)-1]='\0';
83
84 /* cope with the name being a fully qualified name */
85 p = strstr(state->request.data.name.name, lp_winbind_separator());
86 if (p) {
87 *p = 0;
88 name_domain = state->request.data.name.name;
89 name_user = p+1;
90 } else {
91 name_domain = state->request.data.name.dom_name;
92 name_user = state->request.data.name.name;
93 }
94
95 DEBUG(3, ("[%5lu]: lookupname %s%s%s\n", (unsigned long)state->pid,
96 name_domain, lp_winbind_separator(), name_user));
97
98 if ((domain = find_lookup_domain_from_name(name_domain)) == NULL) {
99 DEBUG(0, ("could not find domain entry for domain %s\n",
100 name_domain));
101 return WINBINDD_ERROR;
102 }
103
104 /* Lookup name from PDC using lsa_lookup_names() */
105 if (!winbindd_lookup_sid_by_name(domain, name_domain, name_user, &sid, &type)) {
106 return WINBINDD_ERROR;
107 }
108
109 sid_to_string(sid_str, &sid);
110 fstrcpy(state->response.data.sid.sid, sid_str);
111 state->response.data.sid.type = type;
112
113 return WINBINDD_OK;
114 }
115
116 /* Convert a sid to a uid. We assume we only have one rid attached to the
117 sid. */
118
119 enum winbindd_result winbindd_sid_to_uid(struct winbindd_cli_state *state)
120 {
121 DOM_SID sid;
122 uint32 flags = 0x0;
123
124 /* Ensure null termination */
125 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
126
127 DEBUG(3, ("[%5lu]: sid to uid %s\n", (unsigned long)state->pid,
128 state->request.data.sid));
129
130 if (!string_to_sid(&sid, state->request.data.sid)) {
131 DEBUG(1, ("Could not get convert sid %s from string\n", state->request.data.sid));
132 return WINBINDD_ERROR;
133 }
134
135 /* This gets a little tricky. If we assume that usernames are syncd between
136 /etc/passwd and the windows domain (such as a member of a Samba domain),
137 the we need to get the uid from the OS and not alocate one ourselves */
138
139 if ( lp_winbind_trusted_domains_only() ) {
140 struct winbindd_domain *domain = NULL;
141 DOM_SID sid2;
142 uint32 rid;
143
144 domain = find_our_domain();
145 if ( !domain ) {
146 DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
147 return WINBINDD_ERROR;
148 }
149
150 sid_copy( &sid2, &sid );
151 sid_split_rid( &sid2, &rid );
152
153 if ( sid_equal( &sid2, &domain->sid ) ) {
154
155 fstring domain_name;
156 fstring user;
157 enum SID_NAME_USE type;
158 struct passwd *pw = NULL;
159 unid_t id;
160
161 /* ok...here's we know that we are dealing with our
162 own domain (the one to which we are joined). And
163 we know that there must be a UNIX account for this user.
164 So we lookup the sid and the call getpwnam().*/
165
166
167 /* But first check and see if we don't already have a mapping */
168
169 flags = ID_QUERY_ONLY;
170 if ( NT_STATUS_IS_OK(idmap_sid_to_uid(&sid, &(state->response.data.uid), flags)) )
171 return WINBINDD_OK;
172
173 /* now fall back to the hard way */
174
175 if ( !winbindd_lookup_name_by_sid(&sid, domain_name, user, &type) )
176 return WINBINDD_ERROR;
177
178 if ( !(pw = getpwnam(user)) ) {
179 DEBUG(0,("winbindd_sid_to_uid: 'winbind trusted domains only' is "
180 "set but this user [%s] doesn't exist!\n", user));
181 return WINBINDD_ERROR;
182 }
183
184 state->response.data.uid = pw->pw_uid;
185
186 id.uid = pw->pw_uid;
187 idmap_set_mapping( &sid, id, ID_USERID );
188
189 return WINBINDD_OK;
190 }
191
192 }
193
194 if ( state->request.flags & WBFLAG_QUERY_ONLY )
195 flags = ID_QUERY_ONLY;
196
197 /* Find uid for this sid and return it */
198
199 if ( !NT_STATUS_IS_OK(idmap_sid_to_uid(&sid, &(state->response.data.uid), flags)) ) {
200 DEBUG(1, ("Could not get uid for sid %s\n", state->request.data.sid));
201 return WINBINDD_ERROR;
202 }
203
204 return WINBINDD_OK;
205 }
206
207 /* Convert a sid to a gid. We assume we only have one rid attached to the
208 sid.*/
209
210 enum winbindd_result winbindd_sid_to_gid(struct winbindd_cli_state *state)
211 {
212 DOM_SID sid;
213 uint32 flags = 0x0;
214
215 /* Ensure null termination */
216 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
217
218 DEBUG(3, ("[%5lu]: sid to gid %s\n", (unsigned long)state->pid,
219 state->request.data.sid));
220
221 if (!string_to_sid(&sid, state->request.data.sid)) {
222 DEBUG(1, ("Could not cvt string to sid %s\n", state->request.data.sid));
223 return WINBINDD_ERROR;
224 }
225
226 /* This gets a little tricky. If we assume that usernames are syncd between
227 /etc/passwd and the windows domain (such as a member of a Samba domain),
228 the we need to get the uid from the OS and not alocate one ourselves */
229
230 if ( lp_winbind_trusted_domains_only() ) {
231 struct winbindd_domain *domain = NULL;
232 DOM_SID sid2;
233 uint32 rid;
234 unid_t id;
235
236 domain = find_our_domain();
237 if ( !domain ) {
238 DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
239 return WINBINDD_ERROR;
240 }
241
242 sid_copy( &sid2, &sid );
243 sid_split_rid( &sid2, &rid );
244
245 if ( sid_equal( &sid2, &domain->sid ) ) {
246
247 fstring domain_name;
248 fstring group;
249 enum SID_NAME_USE type;
250 struct group *grp = NULL;
251
252 /* ok...here's we know that we are dealing with our
253 own domain (the one to which we are joined). And
254 we know that there must be a UNIX account for this group.
255 So we lookup the sid and the call getpwnam().*/
256
257 /* But first check and see if we don't already have a mapping */
258
259 flags = ID_QUERY_ONLY;
260 if ( NT_STATUS_IS_OK(idmap_sid_to_gid(&sid, &(state->response.data.gid), flags)) )
261 return WINBINDD_OK;
262
263 /* now fall back to the hard way */
264
265 if ( !winbindd_lookup_name_by_sid(&sid, domain_name, group, &type) )
266 return WINBINDD_ERROR;
267
268 if ( !(grp = getgrnam(group)) ) {
269 DEBUG(0,("winbindd_sid_to_uid: 'winbind trusted domains only' is "
270 "set but this group [%s] doesn't exist!\n", group));
271 return WINBINDD_ERROR;
272 }
273
274 state->response.data.gid = grp->gr_gid;
275
276 id.gid = grp->gr_gid;
277 idmap_set_mapping( &sid, id, ID_GROUPID );
278
279 return WINBINDD_OK;
280 }
281
282 }
283
284 if ( state->request.flags & WBFLAG_QUERY_ONLY )
285 flags = ID_QUERY_ONLY;
286
287 /* Find gid for this sid and return it */
288 if ( !NT_STATUS_IS_OK(idmap_sid_to_gid(&sid, &(state->response.data.gid), flags)) ) {
289 DEBUG(1, ("Could not get gid for sid %s\n", state->request.data.sid));
290 return WINBINDD_ERROR;
291 }
292
293 return WINBINDD_OK;
294 }
295
296 /* Convert a uid to a sid */
297
298 enum winbindd_result winbindd_uid_to_sid(struct winbindd_cli_state *state)
299 {
300 DOM_SID sid;
301
302 DEBUG(3, ("[%5lu]: uid to sid %lu\n", (unsigned long)state->pid,
303 (unsigned long)state->request.data.uid));
304
305 if ( (state->request.data.uid < server_state.uid_low )
306 || (state->request.data.uid > server_state.uid_high) )
307 {
308 struct passwd *pw = NULL;
309 enum SID_NAME_USE type;
310 unid_t id;
311 struct winbindd_domain *domain;
312
313 /* SPECIAL CASE FOR MEMBERS OF SAMBA DOMAINS */
314
315 /* if we don't trust /etc/password then when can't know
316 anything about this uid */
317
318 if ( !lp_winbind_trusted_domains_only() )
319 return WINBINDD_ERROR;
320
321
322 /* look for an idmap entry first */
323
324 if ( NT_STATUS_IS_OK(idmap_uid_to_sid(&sid, state->request.data.uid)) )
325 goto done;
326
327 /* if users exist in /etc/passwd, we should try to
328 use that uid. Get the username and the lookup the SID */
329
330 if ( !(pw = getpwuid(state->request.data.uid)) )
331 return WINBINDD_ERROR;
332
333 if ( !(domain = find_our_domain()) ) {
334 DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
335 return WINBINDD_ERROR;
336 }
337
338 if ( !winbindd_lookup_sid_by_name(domain, domain->name, pw->pw_name, &sid, &type) )
339 return WINBINDD_ERROR;
340
341 if ( type != SID_NAME_USER )
342 return WINBINDD_ERROR;
343
344 /* don't fail if we can't store it */
345
346 id.uid = pw->pw_uid;
347 idmap_set_mapping( &sid, id, ID_USERID );
348
349 goto done;
350 }
351
352 /* Lookup rid for this uid */
353
354 if (!NT_STATUS_IS_OK(idmap_uid_to_sid(&sid, state->request.data.uid))) {
355 DEBUG(1, ("Could not convert uid %lu to rid\n",
356 (unsigned long)state->request.data.uid));
357 return WINBINDD_ERROR;
358 }
359
360 done:
361 sid_to_string(state->response.data.sid.sid, &sid);
362 state->response.data.sid.type = SID_NAME_USER;
363
364 return WINBINDD_OK;
365 }
366
367 /* Convert a gid to a sid */
368
369 enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state)
370 {
371 DOM_SID sid;
372
373 DEBUG(3, ("[%5lu]: gid to sid %lu\n", (unsigned long)state->pid,
374 (unsigned long)state->request.data.gid));
375
376 if ( (state->request.data.gid < server_state.gid_low)
377 || (state->request.data.gid > server_state.gid_high) )
378 {
379 struct group *grp = NULL;
380 enum SID_NAME_USE type;
381 unid_t id;
382 struct winbindd_domain *domain;
383
384 /* SPECIAL CASE FOR MEMBERS OF SAMBA DOMAINS */
385
386 /* if we don't trust /etc/group then when can't know
387 anything about this gid */
388
389 if ( !lp_winbind_trusted_domains_only() )
390 return WINBINDD_ERROR;
391
392 /* look for an idmap entry first */
393
394 if ( NT_STATUS_IS_OK(idmap_gid_to_sid(&sid, state->request.data.gid)) )
395 goto done;
396
397 /* if users exist in /etc/group, we should try to
398 use that gid. Get the username and the lookup the SID */
399
400 if ( !(grp = getgrgid(state->request.data.gid)) )
401 return WINBINDD_ERROR;
402
403 if ( !(domain = find_our_domain()) ) {
404 DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
405 return WINBINDD_ERROR;
406 }
407
408 if ( !winbindd_lookup_sid_by_name(domain, domain->name, grp->gr_name, &sid, &type) )
409 return WINBINDD_ERROR;
410
411 if ( type!=SID_NAME_DOM_GRP && type!=SID_NAME_ALIAS )
412 return WINBINDD_ERROR;
413
414 /* don't fail if we can't store it */
415
416 id.gid = grp->gr_gid;
417 idmap_set_mapping( &sid, id, ID_GROUPID );
418
419 goto done;
420 }
421
422 /* Lookup sid for this uid */
423
424 if (!NT_STATUS_IS_OK(idmap_gid_to_sid(&sid, state->request.data.gid))) {
425 DEBUG(1, ("Could not convert gid %lu to sid\n",
426 (unsigned long)state->request.data.gid));
427 return WINBINDD_ERROR;
428 }
429
430 done:
431 /* Construct sid and return it */
432 sid_to_string(state->response.data.sid.sid, &sid);
433 state->response.data.sid.type = SID_NAME_DOM_GRP;
434
435 return WINBINDD_OK;
436 }
437
438 enum winbindd_result winbindd_allocate_rid(struct winbindd_cli_state *state)
439 {
440 if ( !state->privileged ) {
441 DEBUG(2, ("winbindd_allocate_rid: non-privileged access "
442 "denied!\n"));
443 return WINBINDD_ERROR;
444 }
445
446 /* We tell idmap to always allocate a user RID. There might be a good
447 * reason to keep RID allocation for users to even and groups to
448 * odd. This needs discussion I think. For now only allocate user
449 * rids. */
450
451 if (!NT_STATUS_IS_OK(idmap_allocate_rid(&state->response.data.rid,
452 USER_RID_TYPE)))
453 return WINBINDD_ERROR;
454
455 return WINBINDD_OK;
456 }