s3-rpc_client: move protos to cli_lsarpc.h

[Samba/ekacnet.git] / source3 / auth / server_info_sam.c

/*
   Unix SMB/CIFS implementation.
   Authentication utility functions
   Copyright (C) Andrew Tridgell 1992-1998
   Copyright (C) Andrew Bartlett 2001
   Copyright (C) Jeremy Allison 2000-2001
   Copyright (C) Rafal Szczesniak 2002
   Copyright (C) Volker Lendecke 2006

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "includes.h"
#include "smbd/globals.h"
#include "../libcli/auth/libcli_auth.h"

#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH


/***************************************************************************
 Is the incoming username our own machine account ?
 If so, the connection is almost certainly from winbindd.
***************************************************************************/

static bool is_our_machine_account(const char *username)
{
        bool ret;
        char *truncname = NULL;
        size_t ulen = strlen(username);

        if (ulen == 0 || username[ulen-1] != '$') {
                return false;
        }
        truncname = SMB_STRDUP(username);
        if (!truncname) {
                return false;
        }
        truncname[ulen-1] = '\0';
        ret = strequal(truncname, global_myname());
        SAFE_FREE(truncname);
        return ret;
}

/***************************************************************************
 Make (and fill) a user_info struct from a struct samu
***************************************************************************/

NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
                              struct samu *sampass)
{
        struct passwd *pwd;
        gid_t *gids;
        struct auth_serversupplied_info *result;
        const char *username = pdb_get_username(sampass);
        NTSTATUS status;

        if ( !(result = make_server_info(NULL)) ) {
                return NT_STATUS_NO_MEMORY;
        }

        if ( !(pwd = getpwnam_alloc(result, username)) ) {
                DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
                          pdb_get_username(sampass)));
                TALLOC_FREE(result);
                return NT_STATUS_NO_SUCH_USER;
        }

        result->sam_account = sampass;
        result->unix_name = pwd->pw_name;
        /* Ensure that we keep pwd->pw_name, because we will free pwd below */
        talloc_steal(result, pwd->pw_name);
        result->utok.gid = pwd->pw_gid;
        result->utok.uid = pwd->pw_uid;

        TALLOC_FREE(pwd);

        result->sanitized_username = sanitize_username(result,
                                                       result->unix_name);
        if (result->sanitized_username == NULL) {
                TALLOC_FREE(result);
                return NT_STATUS_NO_MEMORY;
        }

        if (IS_DC && is_our_machine_account(username)) {
                /*
                 * Ensure for a connection from our own
                 * machine account (from winbindd on a DC)
                 * there are no supplementary groups.
                 * Prevents loops in calling gid_to_sid().
                 */
                result->sids = NULL;
                gids = NULL;
                result->num_sids = 0;

                /*
                 * This is a hack of monstrous proportions.
                 * If we know it's winbindd talking to us,
                 * we know we must never recurse into it,
                 * so turn off contacting winbindd for this
                 * entire process. This will get fixed when
                 * winbindd doesn't need to talk to smbd on
                 * a PDC. JRA.
                 */

                (void)winbind_off();

                DEBUG(10, ("make_server_info_sam: our machine account %s "
                        "setting supplementary group list empty and "
                        "turning off winbindd requests.\n",
                        username));
        } else {
                status = pdb_enum_group_memberships(result, sampass,
                                            &result->sids, &gids,
                                            &result->num_sids);

                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
                                   nt_errstr(status)));
                        result->sam_account = NULL; /* Don't free on error exit. */
                        TALLOC_FREE(result);
                        return status;
                }
        }

        /* For now we throw away the gids and convert via sid_to_gid
         * later. This needs fixing, but I'd like to get the code straight and
         * simple first. */

        TALLOC_FREE(gids);

        DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
                 pdb_get_username(sampass), result->unix_name));

        *server_info = result;
        /* Ensure that the sampass will be freed with the result */
        talloc_steal(result, sampass);

        return NT_STATUS_OK;
}